On Thu, May 25, 2023 at 09:35AM Stefan Sperling wrote:
> On Wed, May 24, 2023 at 04:37:00PM +0000, Francesco Toscan wrote:
> Hi misc@,
>
>> I'm going to migrate a FreeBSD ZFS-based fileserver to a OpenBSD 7.3 UFS-based one.
>> In order to comply with regulations, part of data must be encrypted; regulations also dictate that I have to be able to destroy the encryption keys.
[...]
>> To "destroy" the keys I think it could be sufficient to use dd and overwrite the first megabyte of the softraid chunk with random data.
> Yes, indeed. There is only one section of meta-data at the beginning of the
> chunk and if this meta-data is lost then the decryption key is gone as well.
[...]
Thank you for the detailed explaination, much appreciated.
For the record, bioctl and the stack do comply.
> It is not yet possible to encrypt a key disk with a passphrase, which would
> provide two-factor authentication. There is no technical reason which would
> prevent this from being implemented, it just hasn't been done.
From a user perspective, a user who is not able to help coding, I can just say
that encrypting a key disk with a passphrase would be great.
Thanks for your time,
f
No comments:
Post a Comment