[RHEVM] "Wipe after delete" option of RHEV VM disk

Latest response

Hi

Would anyone be able to tell me the purpose of the "Wipe after delete" option is for a RHEV VM disk ?
The documentation states "Enhanced security for deletion of sensative material when the disk is deleted"
In my mind, this should done by default. Not as an option.

The alternative is what, exactly ?

Cheers

Responses

Hi Richard,

Wipe after delete will wipe the entire disk contents rather than just removing file references from the filesystem, ie. it will '0' out the contents. Usually when you remove a file from a filesystem (in this case a virtual hard disk) the reference is removed and the blocks are marked as free but the contents isn't wiped/removed from the blocks.

The reason this option exists is because if a VM (or virtual disk) is 'deleted' on a physical disk and a new VM (or virtual disk) created, a user in the new VM could potentially dump the contents of 'free space' and find sensitive information left over from the previous VM.

The downside to 'wiping' (and likely why it isn't configured by default) is that it is expensive in regards to IO/disk access/writes. Every block of the filesystem needs to be overwritten which can take a long time to complete, depending on disk subsystem.

Thanks for your reply.
I'm pretty sure most RHEV customers would far rather take the performance hit on the storage subsystem than face a potential data security risk. A majority of industries would see this as an absolute necessity rather than an option.

I'm also hearing that merged(removed) VM snapshots are only wiped if the “Wipe after delete” option is taken on the related vDisks. Sadly, on 3.2.2 the only way to retrospectively change the option is with the VM offline.

The reason for this question is that we have experienced exactly what you describe. That is, a new vDisk was created and attached to a VM only to then find that it contained readable LV metadata. Upon inspection, the data related to a completely different VM.
We can deal with this internally as an organisation, but what if the same were to happen on a public/hybrid cloud ?

Cheers

I agree that an explanation of the risk should be more prominent. In many environments this would pose no risk/issue due to the nature of the VMs being created, but completely agree that for a multi tenanted VM farm the wipe option would be a necessity.

Interesting that you mention LVM metadata as one of the issues, I have had problems in the past (not specifically RHEV related) with residual LVM data on a broken RAID... definitely something to keep an eye out for.

Hey Richard:

  1. To set "Wipe after delete" as the default option, you can use the SANWipeAfterDelete option in rhevm-config. For example, to enable that as the default option, you would run:

    rhevm-config -s SANWipeAfterDelete=true
    service ovirt-engine restart
    
  2. The most common reason to use "Wipe on delete" is to zero out the data for security purposes. It shouldn't be required just to get a clean disk (without metadata). To be honest, I can't think of a scenario where creating a new vDisk and attaching it to VM would show existing metadata. This definitely sounds like something we should look into a bit more. I recommend opening a case on this. Are you able to recreate the scenario easily?

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.