Hi misc@, I'm going to migrate a FreeBSD ZFS-based fileserver to a OpenBSD 7.3 UFS-based one. In order to comply with regulations, part of data must be encrypted; regulations also dictate that I have to be able to destroy the encryption keys.
So, I want to split data into multiple partitions, mounted read-only (it's "cold" data, there's no point in mounting rw); one of them, of about 50GB, will be a chunk dedicated to softraid. The volume will be assembled by hand and the on-disk encryption key will be encrypted with a user supplied password (right, regulations). If I understand correctly the 2010 paper by Marco Peereboom, he designed the crypto softraid discipline so the encrypted keys would be saved in a variable part of softraid medatata, stored at the beginning of the chosen chunk, after an offset of 512 bytes. To "destroy" the keys I think it could be sufficient to use dd and overwrite the first megabyte of the softraid chunk with random data. Am I missing something? Thanks, f
