In some situations, you might want to have the data associated with a given disk file “scrubbed” (removed or rendered unreadable) from the areas on the disk when the disk file is removed.
SENSITIVEDATA File Attribute
The SENSITIVEDATA attribute can have the value TRUE or FALSE. If the value of the attribute is TRUE, when the file is removed, the disk areas assigned to the file are overwritten with the value of the ERASE system security option before the disk space is returned to the system for reuse. This procedure can supply a means of scrubbing files before they are reused. The setting of the ERASE system security option controls how scrubbing takes place and can be set to ZEROS, ONES, TRIPLE, and TRIPLEVERIFY.
However, there are drawbacks to relying on the SENSITIVEDATA attribute for scrubbing disk files:
-
Many files, such as code files and Command and Edit (CANDE) work files, cannot have the SENSITIVEDATA attribute associated with them.
-
The files are not scrubbed by a LOADER cold-start or by a LOADER REMOVE command.
-
The files are not scrubbed if some of their areas are allocated on continuation packs that are not online.
-
When a file with the SENSITIVEDATA attribute TRUE is created, it is immediately marked as a permanent file in the disk directory. This procedure can result in the premature removal of a valid file with the same file title before the newly created file is written.
Default Scrubbing
A more thorough method for scrubbing removed files is the system disk scrub option, DISKSCRUB.
You designate the DISKSCRUB option with the SECOPT (Security Options) system command. See Controlling System Security for information on the SECOPT command.
When the value of the DISKSCRUB option is TRUE, all disk files (including temporary files) are managed so that residual data on the disk cannot be obtained or read.
On systems requiring a high level of security, it is good practice to ensure that the disk space is unreadable after release. This can be achieved in the disk subsystem itself by encrypting the disks at rest. When the DISKSCRUB option is TRUE, this ensures that the disk space is overwritten, but it comes at a significant performance cost.
