On 11/20/17 04:51, Marc Lobelle wrote: > Hum, this means that bcrypt will not erase the original file after > encrypying it either and the file must be decrypted to be used. How can > I make sure that its contents cannot be recovered on zfs then ? (apart > from writing the zfs encryption code that is missing in illumos zfs ; it > will have to be done eventually but I'm looking for an interim solution).
This doesn't work on ZFS, and just doesn't work in general even without ZFS. It's not uncommon that hardware itself remaps sectors, potentially leaving sensitive data in place and inaccessible to software that just goes through the file system layer, but relatively easily recoverable by an attacker. The better answer, assuming physical security is insufficient, is to avoid writing sensitive information in the first place: encrypt the data before writing or configure the file system itself to encrypt. A quick google search on "zfs secure delete" will turn up all sorts of discussions about this. -- James Carlson 42.703N 71.076W <[email protected]> _______________________________________________ openindiana-discuss mailing list [email protected] https://openindiana.org/mailman/listinfo/openindiana-discuss
