1

We have a Windows Server guest OS running on vSphere which has logical drives that ultimately reside on a 3PAR SAN. An auditor has suggested that after deleting sensitive files on the VM, we should use Microsoft's cipher.exe on the VM to "wipe free disk space".

Given all the layers of abstraction between cipher.exe and the physical disk (guest file system, host file system, SAN, RAID, drive controller) I'm assuming the odds that the application will actually be able to overwrite the physical disk sectors containing the sensitive data are almost nil.

Is there an API or tool that allows an administrator to initiate secure file deletion? I imagine it would have to be implemented at the Windows guest OS level so that the information required to satisfy the request could be passed down through the software stack to the physical drive.

Robb Smith
  • 11
  • 1

2 Answers2

2

Given all the layers of abstraction between cipher.exe and the physical disk (guest file system, host file system, SAN, RAID, drive controller) I'm assuming the odds that the application will actually be able to overwrite the physical disk sectors containing the sensitive data are almost nil.

I'm not sure this assumption is easily provable.

If you are interested in a utility that is slightly more thorough, SysInternals SDelete is the only other Microsoft-provided utility that I am aware of.

https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • I've found out that when a file is deleted, Windows 2012 and later will generate what are called Unmap hints for the storage array, which inform the storage array that the sectors are no longer required and can be reallocated. As such, there is no guarantee that the sectors being overwritten by subsequent runs of cipher.exe or sdelete.exe are the same sectors that originally contained the deleted files. – Robb Smith Dec 18 '19 at 23:03
  • @RobbSmith: guarantees are meaningless unless someone is prepared to prove it and provide money. Cipher and SDelete are reasonable forms of securing free space. What you are asking for is not measurable or practical. – Greg Askew Dec 19 '19 at 12:59
  • I'm not looking for ironclad guarantees, simply a plausible explanation of how something like SDelete could possibly work if there isn't a mechanism for it to ask the SAN array to perform secure deletion. – Robb Smith Dec 20 '19 at 16:34
  • @RobbSmith If Windows identifies your storage as [thin provisioned](https://serverfault.com/q/892446/126632) (for network storage) then everything has been passed properly from bottom to top and unmap will work (providing the SAN supports it! but you'd have to have some really old storage...) – Michael Hampton Dec 08 '20 at 15:24
0

You can delete individual files by encrypting them with ccrypt before deleting them. ccrypt does not create a copy of the file. Instead it encrypts the file by overwriting the current data. After encryption delete the file and if your password the original fine data can't be recovered without the password.

NickSoft
  • 248
  • 6
  • 22
  • *Instead it encrypts the file by overwriting the current data.* And if the back-end storage is implemented with copy-on-write semantics? – Andrew Henle Dec 15 '20 at 11:07
  • 1
    ... then it wouldn't work ... probablly – NickSoft Dec 23 '20 at 08:23
  • If it was linux I would suggest to create a file and mount it as encrypted storage, but I'm not sure if you have that option with windows. I read it's a vm, so you can just encrypt the disk filesystem, so data is always sent encrypted to the SAN – NickSoft Dec 23 '20 at 08:32