Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > Virtualization Megathread V2: VMs inside VMs
 
  • Post
  • Reply
CampingCarl
Apr 28, 2008




 I have a couple VMs under vmware 6.7 that need to be deleted. The datastore for these is on a SAN along with a bunch of other VMs we want to keep but someone said we should DoD wipe them. It looks like VMware has a write zeroes function but I don't think that qualifies. Does booting the VM to a usb and wiping from there accomplish the same thing?

* # ¿ Jan 28, 2019 02:03
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ May 19, 2024 22:17
  • Quote
CampingCarl
Apr 28, 2008

YOLOsubmarine posted:

Are you required for regulatory reasons to wipe them? Given that VSAN data may be re-distributed across disk groups for a number of reasons there’s no way to guarantee that you’ve actually cleared all data related to the VM from the drives without wiping the drives themselves at the bit level.

If you actually require the capability to securely wipe data from VMs from the drives without destroying the drives then you’d need to look at per-VM encryption where you could then encrypt the VM and shred the keys after deletion.
I will be asking tomorrow how much of this is required and how much was just 'someone heard of DoD wipe' or it needs to be to that level. Or if it even matters until we dispose of the drives.

Since this was a system setup before I started is that something we can migrate VMs to or has to be done at creation? That doesn't sound like something that would comply with regulatory compliance though. I think that would have to be something like separate sets of disk for each set of VMs.

* # ¿ Jan 28, 2019 03:23
  • Quote
CampingCarl
Apr 28, 2008

evil_bunnY posted:

What’s the underlying storage. Trying to wipe a CoW-backed volume is only gonna end in tears
Dell scv3000, don't see anything about cow in the manual but it is a concern and I would rather just assume it does.

I know getting iso27001 is a stated goal too so even if this is fine I may have to change the current system anyway.

* # ¿ Jan 28, 2019 19:48
  • Quote
CampingCarl
Apr 28, 2008

YOLOsubmarine posted:

You’d have to wipe every drive in the array. Neither the storage not the hypervisor have a complete picture of which blocks may have belonged to a particular VM at some point and have not yet been overwritten so there’s no facility for wiping only those blocks.

The correct question to ask is what are you trying to protect against? This currently sounds like a solution in search of a problem. Identify the actual problem and then work out a technically feasible solution.
Short term problem: wipe out the data as much as we can without impacting other projects with data on the SAN, from above I'm told this realistically means delete the VM and wipe/destroy the drives when they are no longer in use.

Long term problem: I know we have upcoming projects(some govt) that will require us to certify media is sanitized, overwrite three times before reuse or degauss/destroy, which as pointed out is hard to do when that could apply to every disk on the SAN. I think my worry is most of these refer to 'sanitizing before reuse' of the drive and I am not sure if that means at the end of the project or just when the drive leaves IT's possession. VM encryption seems like a practical solution we should use but I am unsure if that qualifies for sanitizing in these policies that say overwrite three times etc. I could just be overthinking this but also don't want our process to end up being 'we swear we will destroy the disk later' for compliance.

* # ¿ Jan 29, 2019 02:59
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > Virtualization Megathread V2: VMs inside VMs