[OpenIndiana-discuss] recompiling a program for openindiana

James Carlson carlsonj at workingcode.com
Mon Nov 20 14:10:47 UTC 2017


On 11/20/17 04:51, Marc Lobelle wrote:
> Hum, this means that bcrypt will not erase the original file after
> encrypying it either and the file must be decrypted to be used. How can
> I make sure that its contents cannot be recovered on zfs then ? (apart
> from writing the zfs encryption code that is missing in illumos zfs ; it
> will have to be done eventually but I'm looking for an interim solution).

This doesn't work on ZFS, and just doesn't work in general even without
ZFS.  It's not uncommon that hardware itself remaps sectors, potentially
leaving sensitive data in place and inaccessible to software that just
goes through the file system layer, but relatively easily recoverable by
an attacker.

The better answer, assuming physical security is insufficient, is to
avoid writing sensitive information in the first place: encrypt the data
before writing or configure the file system itself to encrypt.

A quick google search on "zfs secure delete" will turn up all sorts of
discussions about this.

-- 
James Carlson         42.703N 71.076W         <carlsonj at workingcode.com>



More information about the openindiana-discuss mailing list