On Mon, Feb 08, 2010 at 03:41:16PM -0500, Miles Nordin wrote: > ch> In our particular case, there won't be > ch> snapshots of destroyed filesystems (I create the snapshots, > ch> and destroy them with the filesystem). > > Right, but if your zpool is above a zvol vdev (ex COMSTAR on another > box), then someone might take a snapshot of the encrypted zvol. Then > after you ``securely delete'' a filesystem by overwriting various > intermediate keys or whatever, they might roll back the zvol snapshot > to undelete. > > Yes, you still need the passphrase to reach what they've undeleted, > but that's always true---what's ``secure delete'' supposed to mean > besides the ability to permanently remove one dataset but not others, > even from those who posess the passphrase? Otherwise it would not be > a feature. It would just be a suggestion: ``forget your passphrase.''
Correct. Secure erasure through "forgetting the keys" really does depend on "forgetting the keys", which does include "forgetting the passphrase". The only way to avoid that would be to store the wrapped keys in local keystores (i.e., a TPM or a smartcard) that do support secure erasure, so that "forgetting the keys" can be done without having to forget passphrases. > nw> ZFS crypto over zvols and what not presents no additional > nw> problems. > > If you are counting on the ability to forget a key by overwriting the > block of vdev in which the key's stored, then doing it over zvol's is > an additional problem. True, but this could happen regardless of whether the underlying storage is a zvol or not. I stand by the statement that "ZFS crypto over zvols and what not presents no additional problems". Nico -- _______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
