Hi misc@,
I'm going to migrate a FreeBSD ZFS-based fileserver to a OpenBSD 7.3 UFS-based one.
In order to comply with regulations, part of data must be encrypted; regulations also dictate that I have to be able to destroy the encryption keys.
So, I want to split data into multiple partitions, mounted read-only (it's "cold" data, there's no point in mounting rw); one of them, of about 50GB, will be a chunk dedicated to softraid. The volume will be assembled by hand and the on-disk encryption key will be encrypted with a user supplied password (right, regulations).
If I understand correctly the 2010 paper by Marco Peereboom, he designed the crypto softraid discipline so the encrypted keys would be saved in a variable part of softraid medatata, stored at the beginning of the chosen chunk, after an offset of 512 bytes.
To "destroy" the keys I think it could be sufficient to use dd and overwrite the first megabyte of the softraid chunk with random data.
Am I missing something?
Thanks,
f
No comments:
Post a Comment