Although I am a big believer in securely deleting virtual hard disks, the need for security has to be balanced against the impact that protecting data via secure deletion will have on the organization’s virtualization infrastructure. The most obvious impact is that secure deletions are I/O-intensive operations. If not properly constrained, it is entirely possible that a secure delete operation will negatively impact the performance of neighboring virtual machines by robbing them of storage IOPS.
Another consideration is storage wear. If your virtual machines reside on an all-flash array, then securely deleting unwanted virtual hard disks could cause physical disks to wear out more quickly.
With all that said, one of the key responsibilities associated with data center management is protecting data. To that end, most data center operators have adopted protocols for disposing of old hard disks. Any time that a hard disk is replaced, the old disk is typically shredded, degaussed or securely overwritten. Organizations should--but often don’t--pay the same kind of attention to virtual hard disks.
On at least some level, the practice of securely disposing of unwanted virtual hard disks seems unnecessary for protecting data. After all, virtual machines are often transient in nature, and when a virtual machine has outlived its usefulness, it is simply deleted.
Every virtualization platform has its own nuances, but, depending on the hypervisor and the management tools that you are using, deleting a virtual machine might not necessarily get rid of its virtual hard disks. If you look at Figure 1, for instance, you can see that I have created a Hyper-V virtual machine named “demo.” This virtual machine, which is hosted on a Windows Server 2019 Hyper-V server, uses a virtual hard disk file named Sample VM.vhdx, which is located at F:\VMs.
Figure 1
The Demo VM uses a virtual hard disk named F:\VMs\Sample VM.VHDX.
Now take a look at Figure 2. Even though I have deleted the virtual machine, its virtual hard disk remains.
Figure 2
The virtual machine has been deleted, but its virtual hard disk was not automatically removed.
Granted, most Hyper-V administrators probably know to manually delete virtual hard disks after they delete a virtual machine. Even so, deleting the virtual hard disk doesn’t necessarily prevent it from being recovered. After all, deleting a file removes the file from the Master File Table, but, depending on the storage that is being used, the file may exist until the storage that it occupied is overwritten.
Given the fact that deleting a virtual machine and its virtual hard drive might not render the virtual hard disk unrecoverable, one has to question whether additional mechanisms need to be put into place for protecting data. Some might be quick to point out that if the virtual hard disk was encrypted, there is no need to implement any additional protection. However, the physical hard disks used in data centers are almost always encrypted, and yet data center operators still go to great lengths to make sure that those hard disks are disposed of properly. So, is it really so far-fetched to consider the need for data destruction on virtual hard disks?
Securely disposing of a virtual hard disk really is a relatively easy task. There are any number of utilities available that can do the job. Many of these utilities can be downloaded as a bootable ISO file. Once you have acquired such a tool, all you have to do is to boot your virtual machine from the ISO file, and then let it securely delete the virtual hard disk’s contents. Figure 3 shows an example of such a product running inside a Hyper-V virtual machine.
Figure 3
Some secure delete utilities can be booted from an ISO file, making them easily adaptable to virtual machine use.
Conclusion
Ultimately, there isn’t necessarily a right or wrong answer to the question of whether virtual hard disk contents should be securely deleted. Organizations have to consider the security risks associated with deleting old virtual hard disks in the traditional way, as well as the effect that secure delete operations will have on their virtualization infrastructure. In some cases, the extra security put into place for protecting data might not justify the performance impact. In other cases, though, it will likely make sense to securely delete old virtual hard disks that are known to contain highly sensitive data.
