[linux-lvm] Snapshots & data security

[Stuart Gathman]

On 07/19/2016 11:28 AM, Scott Sullivan wrote:
>
> Could someone please clarify if there is a legitimate reason to worry
> about data security of a old (removed) LVM snapshot?
>
> For example, when you lvremove a LVM snapshot, is it possible for data
> to be recovered if you create another LVM and it happens to go into
> the same area as the old snapshot we lvremoved?
>
> If this helps clarify, do we have to worry about security scrubbing a
> LVM snapshot for data security ?
Yes, the snapshot LV will contain (obsolete) copies of any sectors
(actually chunks) written to during the life of the snapshot.

However, you still have the live data in the same VG, so it doesn't
present any additional exposure.  Anyone with access to the raw disk can
just read the live LV as well as the snapshot. 

You real question, however, is probably about creating a new LV, and
whether reading that new LV will read old contents of the disk.  
Allocating a new LV only zeros the first 4k of the volume.  Reading the
LV will pick up all the leftover garbage from previous contents - a Very
Bad Thing security wise.   This is arguably a bug. 

Solutions I've seen proposed:

1) use dd to zero the volume after allocating - this is what you should
do today

2) allocate a snapshot of an existing image - this solves the security
problem but has performance problems

3) LVM should have an option to logically zero a new LV - this is simple
in concept, but maybe not so trivial to make bug free.  The LV allocates
a bitmap of all the chunks.  All chunks return zeros until written to. 
A 100G LV with 65k chunks would need only 200K for the bitmap - so the
overhead is quite small.  You could even keep the bitmap in chunks that
have never been written to, with a pointer in metadata, moving it around
as necessary - but that would be even harder to make bug free.