Is deletion of data or snapshot deemed secure similar to Linux shred?

Question

question

Dex asked Mar 17, '22 Erick Ramirez answered Mar 21, '22

Is deletion of data or snapshot deemed secure similar to Linux shred?

Hi All!

I'm potentially working with Cassandra as a store for some sensitive data. This data I want to be able to delete securely (securely meaning that the data is irrecoverable from the storage e.g similar to the shred command in Linux), I think there are 2 scenarios where this will need to happen.

1. When I delete a record (a tombstone is entered and the compaction will complete it) - does this securely remove it?

2. When I remove a snapshot using:

nodetool clearsnapshot

If anyone is able to shed some light on these 2 scenarios and whether or not they are deemed "secure", or if anyone has had to handle this requirement before, it would be greatly appreciated.

Many thanks!

Dex

security

10 |1000

Attachments: Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

DataStax Enterprise is powered by the best distribution of Apache Cassandra ™

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Privacy Policy Terms of Use

Answer 1 · 2022-03-21T00:37:48Z

Erick Ramirez answered Mar 21, '22

When deleted data is eventually compacted out, the corresponding SSTable is deleted from the disk by Cassandra using the Java NIO library. This effectively means that the deletion is done at the filesystem level, that is, only the inode for the SSTable file *-Data.db (and inodes for the associated component files including *-Index.db and *-Statistics.db among others) is changed or marked for deletion with the disk blocks released so they could be reused/overwritten for new files but those disk blocks are not immediately scrubbed of their contents.

Similarly when snapshots are cleared, the operation only releases the inodes -- the underlying blocks on the filesystem do not get changed immediately. Using some advanced disk utilities, it is possible to inspect the disk blocks and retrieve their contents.

DataStax Enterprise (DSE) has a feature called Transparent Data Encryption (TDE) where data-at-rest is encrypted so the contents of SSTables are not accessible without the decryption keys. The alternative for open-source Cassandra clusters is to use volume-encryption software. Cheers!

Share

10 |1000

Attachments: Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

question