如何使用sql server 2008安全销毁某些数据? (使用DoD安全擦拭或类似方法)
[英]How can I securely destroy some data using sql server 2008 ? (using DoD secure wipe or an equivalent)
问题描述
One of my clients wants me to perform a periodic "real" destruction of some of his old data, and I'm evaluating the best way to do it. 
我的一位客户希望我对他的一些旧数据进行定期的“真实”销毁,而我正在评估实现这一目标的最佳方法。
The data is in a table, and I want to destroy some of the rows contained in it. 数据在表中,我想销毁其中包含的某些行。
I could do it manually by deleting/exporting the database on another computer/degaussing the hard drive/reimporting the saved data, but I need an automatic solution. 我可以通过删除/导出另一台计算机上的数据库/对硬盘驱动器进行解毒/重新导入保存的数据来手动完成此操作,但是我需要一个自动解决方案。
Is there an equivalent to the delete (as in delete * from foo) command which would perform a secure destruction of the data (using DoD secure wipe, or something like that?) 是否有与delete(如foo中的delete *)相同的命令,该命令将执行数据的安全销毁(使用DoD安全擦除或类似方法?)
Do you see other ways to perform this automatic deletion? 您是否看到其他方式执行此自动删除?
Btw, I know the odds of someone retrieving some of the data I've destroyed using the sql delete command are very small, but some of my clients require it. 顺便说一句,我知道有人使用sql delete命令检索我已销毁的某些数据的几率很小,但是我的某些客户端需要它。 So please don't turn this question into a global debate on the topic of data disposal procedures ! 因此,请不要将此问题变成关于数据处理程序的全球性辩论!
Edit : the problem I want to address is not "How should I destroy the data so it cannot be recovered" but rather "How can I convince my clients that their data cannot be recovered". 编辑 :我要解决的问题不是“我应该如何销毁数据以使其无法恢复”,而是“我如何使我的客户相信他们的数据无法恢复”。
7 个解决方案
解决方案1
7 2009-02-16 15:30:07
Use some form of encryption to store the data fields in the table. 使用某种形式的加密将数据字段存储在表中。
When you decide to "delete", re-encrypt the data you will continue to use with a new key. 当您决定“删除”时,请使用新密钥重新加密将继续使用的数据。 Discard the old key, and delete the rows encrypted with the old key. 丢弃旧密钥,并删除使用旧密钥加密的行。 Shrink. 收缩。
Even if someone recovers the rows, w/o the old key no one will be able to restore the data. 即使有人恢复了行,并且没有旧密钥,也没有人能够恢复数据。 Just make sure the old key is really discarded - you can have it on a single usb stick only, and destroy the stick, etc. 只需确保旧密钥确实已被丢弃-您只能将其放在单个USB记忆棒上,然后销毁该记忆棒等。
解决方案2
7 2009-02-25 17:07:01
From Books Online : 从在线书籍 :
Delete operations from a table or update operations that cause a row to move can immediately free up space on a page by removing references to the row.
sp_clean_db_free_spaceto clean these ghost records.sp_clean_db_free_space清除这些sp_clean_db_free_space记录。
This should zero-out your "free" data pages. 这应该将您的“免费”数据页面清零。 It can also be used if Instant Initialization was used, but you decided you want to zero-out pages instead. 如果使用即时初始化,也可以使用它,但是您决定将页面归零。
To answer your updated question, "How can I convince my clients that their data cannot be recovered", that BOL entry states it clearly, "Ghost records are periodically removed by a background process." 为了回答您更新的问题“我如何使我的客户相信他们的数据无法恢复”,BOL条目清楚地指出,“后台进程会定期删除Ghost记录。”
解决方案3
3 2009-02-16 15:24:02
Basically, no. 基本上没有 The standard operation won't do it, and if it did the data could still be reconstructed from transaction logs etc. Probably the closest you can come is to do it externally, copying and purging the database to another device, then doing a high-quality scrub delete on the old device, but as a security guy I'm not sure I'd even want to say that was a sssured delette. 标准操作不会执行此操作,并且如果执行了此操作,仍然可以从事务日志等中重建数据。可能最接近的操作是从外部进行操作,将数据库复制并清除到另一台设备,然后执行质量清除旧设备上的删除内容,但是作为安全人员,我不确定我什至想说那是一个固定的delette。
Secure delete is a difficult problem. 安全删除是一个难题。 You might do better with a cryptographic approach, like Radia Perlman's "ephemerizer". 使用Radia Perlman的“ ephemerizer”之类的密码方法可能会做得更好。
解决方案4
1 2009-02-16 15:22:48
I am not sure if this meets the requirments of the DOD, but at a minimum I would be going through the following. 我不确定这是否满足DOD的要求,但是至少我将经历以下内容。
- Delete the records the standard way 删除记录的标准方法
- Take a new backup of the database (for future use) 进行数据库的新备份(以备将来使用)
- Delete all existing backups (As they have the data), using a standard file deletion process that meets the standards 使用符合标准的标准文件删除过程删除所有现有备份(因为它们具有数据)
- Shrink the database to free-up the unused space from the deleted records. 收缩数据库以从删除的记录中释放未使用的空间。
I think this will get you pretty close, the key though is the management of the shrink operation, which I am not 100% sure how that clears/handles data. 我认为这将使您更加接近,但是关键是收缩操作的管理,我不确定100%如何清除/处理数据。 Secondly, removing the old backups would be the "biggest risk" if you were looking at risk points in my opinion. 其次,如果您认为我的风险点很大,那么删除旧备份将是“最大的风险”。
解决方案5
1 2009-02-16 15:33:05
Actually, chances of retrieving the data destroyed with DELETE are quite big, close to 100% :) 实际上,检索用DELETE销毁的数据的机会非常大,接近100% :)
Data that you delete are kept in the transaction log, it's a part of how the transactions work. 删除的数据保留在事务日志中,这是事务工作方式的一部分。 In other case, you either would not be able to ROLLBACK a transaction, or a COMMIT would take forever (like in old versions of PostgreSQL ). 在其他情况下,您要么无法ROLLBACK事务,要么COMMIT会花很长时间(例如在旧版本的PostgreSQL )。
Best you can do without messing with the datafiles is: 在不弄乱数据文件的情况下,您能做的最好的事情是:
- Delete your data. 删除您的数据。
- Perform multiple
UPDATEs on the table to destroy old data.在表上执行多个UPDATE以销毁旧数据。 - Perform several large transactions and commit them for the trasaction log to be truncated. 执行几个大事务, 并提交它们以使事务日志被截断。 How many exactly depends on your log size. 确切多少取决于您的日志大小。
-
CleanSweepspace on disk occupied by old transaction logs.磁盘上由旧事务日志占用的CleanSweep空间。
- Perform multiple
解决方案6
1 2009-02-17 15:37:02
Delete the data. 删除数据。 Do a simple backup and restore on a new hard drive and burn the old drive. 做一个简单的备份,然后在新的硬盘驱动器上还原并刻录旧的驱动器。
Destroying objects is the only way to really convince people that 'things' are really gone. 销毁对象是使人们确信“事物”确实消失的唯一方法。
解决方案7
0 2009-02-20 08:01:03
Well, I'm just playing here but you try this, it will be reasonably secure. 好吧,我只是在这里玩,但是您尝试一下,它将是相当安全的。
Don't use a typical backup. 不要使用典型的备份。
Script out the schema, if you haven't already. 如果没有,请脚本出架构。
Script out all the data so that all the current can be inserted with an script with many INSERT statements. 编写所有数据的脚本,以便可以使用包含许多INSERT语句的脚本插入所有当前数据。 The deleted data won't show up in this file, obviously. 显然,已删除的数据不会显示在此文件中。 Of course, you will want to use Bulk Insert and all that to get the data back in there. 当然,您将需要使用“批量插入”以及所有这些操作来将数据返回到那里。
Now use sdelete to delete all the data files and logs associated with the database. 现在使用sdelete删除与数据库关联的所有数据文件和日志。 Now, restore from the insert script. 现在,从插入脚本还原。 :) :)
By the way, your question and the edit you made, saying you don't want a solution but a reason why not to contradicts your whole question. 顺便说一句,您的问题和所做的编辑,说您不想要一个解决方案,而是不与您的整个问题相矛盾的原因。 Anyway, a good reason no to do it is that no one is doing it. 无论如何,一个不这样做的好理由是没人在做。 If you want to do something in computing (other than creating some brand new sort of application or something like that) that no one else is doing, it is probably a bad idea. 如果您想在计算中做某事(而不是创建某种全新的应用程序之类的东西),而没有其他人在做,那可能是个坏主意。 There are no academic or DoD papers to my knowledge that describe a method to do this. 据我所知,目前还没有学术论文或国防部的论文描述这样做的方法。
The bigger problem is what information will be "leaked" from the records you deleted to records that were not deleted. 更大的问题是什么信息将从您删除的记录中“泄漏”到未删除的记录中。 Note, here I mean "leak" in the sense of information flow. 注意,在这里我指的是信息流中的“泄漏”。
Although, to be honest, the method I outlined above would essentially accomplish your goal. 虽然,老实说,我上面概述的方法基本上可以实现您的目标。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.