6

In modern file systems (and on modern SSDs) there is no guarantee that if you write over a file using a traditional utility (such as dd) that the data will be overwritten in-place and journaled backups destroyed. As a result, the data could possibly be recovered. So, after a little research I figured that mounting a temporary ramfs (tmpfs was ruled out due to the potential for it to swap) would be the way to go:

# mkdir -p /mnt/tmp/ram
# mount -t ramfs -o size=[size, but ramfs grows as needed] ramfs /mnt/tmp/ram
# [create the sensitive data, secure it, copy out secured data]
# umount /mnt/tmp/ram

Q1: Does unmounting a ramfs destroy the data contained within it?

Q2: If the data is not guaranteed to be destroyed, is there any feasible way to recover said data (or am I just being paranoid)?

Q3: If the data is recoverable, would

# dd if=/dev/zero of=/mnt/tmp/ram/[filename]

destroy the data properly or is ramfs not guaranteed to overwrite files in-place?

Constraints: The system cannot be forced to reboot before/during/after these operations.

In case you're curious, the "sensitive data" in this case is the unsalted, unhashed usernames+passwords for a pam database. The "secured data" is the salted/hashed database, which would end up on the primary drive. I do not want the sensitive data to touch the drive (as I am using ext3 - which cannot guarantee the data will be unrecoverable without wiping the entire partition as far as I understand).

If you know a better way to go about doing this, please enlighten me, thanks.

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
Schives
  • 699
  • 4
  • 12

1 Answers1

5

Q1: Yes

Q2: It is not feasible to recover the data. Nevertheless, if you want to be extreme you could do it like this :)

  1. Create some space in ram: mkdir ram mount -t ramfs -o size=1000M ramfs ram/
  2. Create some randomly filled file which we encrypt in that RAM space. Being filled with random data it will be impossible to establish boundaries between random and encrypted data. dd if=/dev/urandom of=ram/test bs=1M count=512
  3. Setup encription cryptsetup -y luksFormat ram/test cryptsetup luksOpen ram/test encypted
  4. Format and mount the new secure space: mkfs.ext4 /dev/mapper/encypted mkdir securedir mount /dev/mapper/encypted securedir/
  5. Umont securedir/ and then ram/ to loose the data until the end of time. umount securedir/ umount ram/
Bogdan
  • 966
  • 1
  • 6
  • 12
  • Worked well enough, walking the ram location immediately after showed nothing but garbage, +1 and accepted answer. – Schives Mar 24 '16 at 05:52