2

I need to implement Gutmann's algorithm for secure erasing some data in a database table. First of all, is it effective in a database?

I'm not sure about the 35 steps. For 1-4 and 32-35, it's clear, generate some random data. But the steps 5-31 I'm not sure. In the Wikipedia table there are given 3 bytes for a given step, these steps are run randomly, some of them are the same some differ. See the 8th step, in HEX: 49 24 92. Now let's say I have a column I want to erase whose length is 25 bytes. How do I go, in a 3 byte basis? What about the 25th byte?

braincell
  • 562
  • 1
  • 13
  • 26
  • 4
    That algorithm is for erasing a disk drive. There's no way to securely erase a database column (or any other component inside a database implementation). – Hot Licks Jan 19 '12 at 19:56
  • what do you mean by securely erasing database? can you elaborate? – kosa Jan 19 '12 at 19:59
  • No database erasing, erase data of some table's column. If it works for files, why shouldn't work in a database? Or, at least there should be a method... – braincell Jan 19 '12 at 20:03
  • @braincell: What Hot Licks is saying is that unless your database allows you a method of locking a row location on disk, the problem isn't solvable. The problem is to protect against an attacker with direct disk access. Even a row lock in the database doesn't necessarily guarantee that the data still resides on disk where it did before. So, overwriting random bits in a database may not eliminate the security threat from the attacker with direct access. If your db does have such low-level lock guarantees, you can try the technique. – ccoakley Jan 19 '12 at 20:13
  • I would assume that if the DB has a some sort of low-level support for this it would implement the complete secure erase protocol. But it would be difficult at best, as the DB would generally have to "scrub" all unused (but possibly previously used) space in its allocation (and never have unallocated any space). – Hot Licks Jan 19 '12 at 20:24
  • http://superuser.com/questions/70507/securely-delete-mysql-database – Mike Samuel Jan 19 '12 at 20:53

2 Answers2

3

Unfortunately, the problem is that the only way to securely erase data that resides on a disk is to "wipe" any unused sectors on the drive. This works okay for file-based solutions, as when you delete a file, the OS marks the sectors as being available (ie: unused) and consequently, you can wipe them.

The problem with a database, is that you do not have control over the actual file structure; the DB abstracts all that for you. So for instance, you might delete data from a column or a row in a db, but the depending on how the DB handles deletes, the sectors on which the data originally resided may still be marked in use by the DB. Since all data for the table remains as part of the same file (ie: the DB's persisted file state), there is no way to determine where that data originally lay on the disk, and furthermore, no way to ensure that the DB hasn't already reclaimed that space for something else.

Even if you were to securely write/erase/rewrite the same field in the DB there is no guarantee (and actually fairly unlikely) that the data would be written to the same sector on the drive.

All this being said, there have been several studies made which indicate that recovering deleted/overwritten data (as opposed to just freed sector space) from magnetic media is, although theoretically possible, highly problematic and unlikely to be successful.

Keep in mind that the principal of secure wiping of data change significantly when dealing with SSD (as the sectors in use can change to ensure even distribution of data writes) and even in some RAID devices.

Unfortunately, with SSDs, I do not know if there is any solution to ensure that all sectors have been completely cleaned. With RAID, you need to break the RAID and then secure wipe each drive independently to be sure.

Eric B.
  • 23,425
  • 50
  • 169
  • 316
0

For what it's worth I like to mention this paper http://dl.acm.org/citation.cfm?id=1496285 which basically states that on todays disks you don't need more than two passes, usually one is enough. I know it does not answer the quesiton on how to achieve this for a database, and I would second all the comments that this seems impossible to do on SQL level.

stryba
  • 1,979
  • 13
  • 19
  • There has been recent talk about HD manufacturers using h/w based encryption when writing data to the drive such that the need to wipe a drive when disposing of it becomes a thing of the past, but rather all that would be required is to change the encryption key. Would be the equivalent of instant-wipe. Of course, this would only be of use when wiping an entire drive and not just some freed space. – Eric B. Jan 19 '12 at 21:16
  • Interesting, I have to admit I don't follow the recent developments in HD technology that closely though – stryba Jan 20 '12 at 12:51