FileNet Content Services Concepts - Part 3

Secure Document Delete

With the Secure Document Delete feature you can scrub your sensitive document files to prevent any possibility of recovery via disk recovery tools. Scrubbing means to overwrite its contents with a byte pattern before actually deleting the file.

Scrubbing means that the file's entire content is overwritten by a byte pattern before the file is actually deleted. Secure Document Delete does not delete files from client machines. To ensure secure delete functionality on servers containing library system components, do not install client interfaces (such as IDM Desktop) on those servers.

Neither Replication Services nor Web Services scrub files during add, checkin, and checkout operations. For simple delete operations as may be desired during a “purge” process however, Secure Document Delete is applied on all servers that have this feature turned on.

You can configure the Secure Document Delete feature for each Storage Manager by selecting one of the options described below.

Level	Description
No Secure Deletes	Ordinary delete. Files are not overwritten before being deleted.
One Scrub	Files are overwritten with zeroes once before being deleted. This level corresponds to the Clear definition of the DOD 5220.22-M specification.
Three Scrubs	Files are overwritten once with an arbitrary character, again by the character's complement, and finally by a random character before being deleted. This level corresponds to the Purge or Sanitize definition of the DOD 5220.22-M specification.

The initial and additional (remote) Storage Managers of a library system are each separately configurable with respect to secure deletes. Whether an item (document) is securely deleted depends on the secure-delete setting of all the Storage Managers that govern the storage repositories where the versions of the item are stored.

When an item is added to a library, it is given a Storage Category, which is associated with the storage repository where the versions of the item will be stored. As one storage repository fills up, the system administrator will assign the Storage Category to another storage repository. Thus, over time, different versions of the same item may end up in different storage repositories.

To ensure that an item is securely deleted, make sure it is given a Storage Category all of whose associated storage repositories will only be on servers where the Storage Manager is configured for secure deletes. Beware that if even one of the storage repositories associated with the Storage Category is on a server whose Storage Manager is not configured for secure deletes, then any versions of the item that are stored on that server will not be securely deleted.

Secure Document Delete Limitations

On UNIX platforms, files larger than 2 Gbytes will not be overwritten and must be scrubbed using special tools. On Windows platforms, files will be scrubbed securely up to the full Windows 64-bit limit.

Secure Document Delete does not scrub property data in the database; this remains the job of the database administrator and the database itself. Microsoft SQL Server and Oracle do not scrub database data during row or table deletion.

You cannot obtain Secure Document Delete functionality on compressed disks or files. Do not use defragmentation tools on the disk containing the stored document files. Such tools move the files on the disk without pre-scrubbing them, making secure deletes unsupportable.

Some database metadata (such as file names, Item IDs, Version IDs) are not scrubbed in subtle places. For example, when a search query is performed, even on the server, a temp file is used to store the results. When the query ends, the temp file is deleted (but not securely). Database metadata is generally insecure; even Microsoft SQL Server and Oracle databases cannot do secure metadata deletes.

The Windows pagefile and UNIX swap files may include memory images that need to be paged to disk, and the memory image may include the files you are copying or writing. The Secure Document Delete functionality cannot scrub these files.

Reformatting a hard disk may not overwrite data on the disk. If you reformat a disk containing storage repositories, you should use other tools to scrub the disk clean of file data.

The uninstall command (dsuninst.exe) does not scrub storage or index repository files.  Activities such as the actions of the executable files that perform during installs and upgrades, the use of tools, and utilizing configuration code, do not carry out secure deletes. For example when DLLs are copied to a temp directory, they are not scrubbed when they are removed. Secure Document Delete does not work on Hierarchical Storage Manager extended drives. HSM controls access to files on media and cannot guarantee scrubbing in the process of a move or purge