[dm-crypt] SSDs & flash... and secure keyslot erase

Thomas Bächler thomas at archlinux.org
Fri Aug 24 17:23:05 CEST 2012


Am 24.08.2012 17:06, schrieb Milan Broz:
> For now LUKS keyslot deletion is the same as 2) but there is "secure discard"
> in Linux supported already which should guarantee that data (and all its copies
> inside the drive) is wiped (zeroed).
> 
> Next release of cryptsetup will try to run this erase on non-rotatinal disks
> for keyslots. (But most of drives do not support it yet anyway.)

How can I find out if my SSD supports this?

> Also the situation is complicated if image is not disk, but file in filesystem or there
> are more device layers (sw RAID, thin provisioning).
> For disk image, we can try to use "punch hole" mechanism.
> 
> But there is no perfect solution.

Interesting write-up. If you are really paranoid, it seems you must back
up all data, perform ATA security erase and put the data back on the
disk (and then perform ATA security erase on the backup).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20120824/0ccf6159/attachment.asc>


More information about the dm-crypt mailing list