Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data.

On 11/18/2015 01:34 PM, Andrew Sullivan wrote:
> On Wed, Nov 18, 2015 at 03:22:44PM -0500, Tom Lane wrote:
>> It's quite unclear to me what threat model such a behavior would add
>> useful protection against.
>
> If you had some sort of high-security database and deleted some data
> from it, it's important for the threat modeller to know whether the
> data is gone-as-in-overwritten or gone-as-in-marked-free.  This is the
> same reason they want to know whether a deleted file is actually just
> unlinked on the disk.
>
> This doesn't mean one thing is better than another; just that, if
> you're trying to understand what data could possibly be exfiltrated,
> you need to know the state of all of it.
>
> For realistic cases, I expect that deleted data is usually more
> important than updated data.  But a threat modeller needs to
> understand all these variables anyway.

Alright, I was following you up to this. Seems to me deleted data would
represent stale/old data and would be less valuable.
>
> A
>


--
Adrian Klaver
adrian.klaver@aklaver.com