How to properly destroy a dataset so it can't be recovered

[agudo]

Hi,

I have a big pool which multiple datasets in my FreeNAS 11.3 server.

I would like to remove one of the datasets (and its snapshots) in a way the data within the dataset can't be recovered.

In the FreeNAS userguide is mentioned that deleting the dataset is an "irreversible action and will also delete all snapshots for the dataset".

I am wondering if this is really true and if is possible to really delete the data in the physical disks (zero out) without wiping out the whole pool.

Many thanks

 

[sretalla]

I am wondering if this is really true and if is possible to really delete the data in the physical disks (zero out) without wiping out the whole pool.

Because it's a copy on write filesystem, you can't really do any new writes in any of the datasets of the pool in the hope it will overwrite that same dataset (or any data in particular).

The only way to securely erase data on ZFS is to securely destroy the pool (or run an encrypted pool/dataset from the beginning and lose the key/passphrase, rendering the data unusable).

 

[Arwen]

In theory, you can pull one disk at a time and "wipe it". Then re-silver it back into the pool. Repeat until all disks are "wiped". This would make certain your deleted Dataset's data was gone. Some ZFS history might still reference the name of the dataset, or some attributes changed. But no data.

If your pool is made up of RAID-Z2, (or Z3), or 3 way mirrors, there is some loss of redundancy. But, not completely as a RAID-Z1 or 2 way mirrors would be. Or you could use a spare disk and pre-wipe it, and use it to replace the first disk in your pool. That would be marginally safer, if you can install the replacement disk before pulling the old disk.


I put wiped in quotes because some people are fine with a single pass of zeros. Others want random numbers in one pass. U.S. DOD wants a lot more, depending on the security classification of the data.