>>>>> "djm" == Darren J Moffat <darr...@opensolaris.org> writes:
>> encrypted blocks is much better, even though
>> encrypted blocks may be subject to freeze-spray attack if the
>> whole computer is compromised
the idea of crypto deletion is to use many keys to encrypt the drive,
and encrypt keys with other keys. When you want to delete something,
forget the key that encrypted it. Its point is to defend against
exactly the freeze-spray case by making undelete into a difficult
cryptanalysis problem even for the drive's authorized key-holding
user.
djm> Much better for jurisdictions that allow for that, but not all
djm> do. I know of at least one that wants even ciphertext blocks
djm> to overwritten.
The appropriate answer depends when do they want it done, though. Do
they want it done continuously while the machine is running whenever
someone rm's something? Or is it about ``losing'' the data, about
media containing encrypted blocks passing outside the campus, or just
not knowing where something physically is at all times?
If there is no requirement for the former case, crypto deletion is
pointless. Any requirement for the second case can be met with 'dd'
or similar---it's only the former that needs filesystem integration.
It's imagineable that the two cases might have different levels of
cargo cult strictness, though. or...that ``jurisdictions'' smart
enough to express two separate requirements will be negotiable, and
for those that don't distinguish you can say ``oh, but I thought you
only meant the latter case because you've already accepted a mishmash
of products some of which do nothing at all about the former case.''
pgpUiHvDFcdun.pgp
Description: PGP signature
_______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
