Tutorial :How do I securely delete a row from a database?


For compliance reasons, when I delete a user's personal information from the database in my current project, the relevant rows need to be really, irrecoverably deleted.

The database we are using is postgres 8.x,

Is there anything I can do, beyond running COMPACT/VACUUM regularly?

Thankfully, our backups will be held by others, and they are allowed to keep the deleted information.


"Irrecoverable deletion" is harder than it sounds, and extends beyond your database. For example, are you planning on going back to all previous instances of your database on tape/backup where this row also exists, and deleting it there too?

Consider a regular deletion and the periodic VACUUMing that you mentioned before.


Do you back up your database? - If Yes, make sure you delete it from Back ups too.

Is that because of security risk? In that case, I'd change the data in the row and then delete the row.


Perhaps I'm off on a tangent, but do you really want to delete users like that? Most identity & access management approaches recommend keeping users around but in a flagged-as-deleted state, in order not to lose auditing ability (what has this user been up to in the previous five years)?

Deleting user information might be needed for integrity compliance reasons, or for nefarious black-hat purposes. In neither case is there a deletion method which guarantees that no traces could be left of the user's existence, as has been noted in other posts.

Perhaps you should elaborate as to why such an irrevocable delete is desirable...?


To accomplish the "D" in ACID, relational databases use a transaction log type system for changes to the database. When a delete is made that delete is made to a memory copy of the data (buffer cache) and then written to a transaction log file in synchronous mode. If the database were to crash the transaction log would be replayed to bring the system back to the correct state. So a delete exists in multiple locations where it would have to be removed. Only at some later time is the record "deleted" from the actual data file on disk (and any indexes). This amount of time varies depending on the database.


This is not something that you can do on the software side. Its a hardware issue to really delete it you need to physically destroy the drive.


How about overwriting the record with random characters/dates/numbers etc?

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Next Post »