On Thu, May 25, 2023 at 09:35AM Stefan Sperling wrote: > On Wed, May 24, 2023 at 04:37:00PM +0000, Francesco Toscan wrote: > Hi misc@, > >> I'm going to migrate a FreeBSD ZFS-based fileserver to a OpenBSD 7.3 >> UFS-based one. >> In order to comply with regulations, part of data must be encrypted; >> regulations also dictate that I have to be able to destroy the encryption >> keys.
[...] >> To "destroy" the keys I think it could be sufficient to use dd and overwrite >> the first megabyte of the softraid chunk with random data. > Yes, indeed. There is only one section of meta-data at the beginning of the > chunk and if this meta-data is lost then the decryption key is gone as well. [...] Thank you for the detailed explaination, much appreciated. For the record, bioctl and the stack do comply. > It is not yet possible to encrypt a key disk with a passphrase, which would > provide two-factor authentication. There is no technical reason which would > prevent this from being implemented, it just hasn't been done. >From a user perspective, a user who is not able to help coding, I can just say that encrypting a key disk with a passphrase would be great. Thanks for your time, f
