On Sat, Apr 25, 2015 at 10:54:22PM +1000, Joel Sing wrote: > > Apologies for not getting back to look at this - the above diff is in part a > hack and it needs to be more cleanly implemented before it is committed. > Additionally, it needs to be implemented and tested for all platforms that > support softraid boot. I'll attempt to get this done over the next couple of > weeks. >
No worries, I see you are hacking on a bunch of stuff in other parts of the tree, so I was just trying to ease your burden by possibly soliciting help from other devs. > In the meantime, as previously mentioned, the more effective way of clearing > a > softraid crypto volume is to recreate the volume with 'bioctl -C force' (or > even just dd over the first 1MB of the RAID partition) - that nukes the keys > that were used to encrypt the data, making the key disk or passphrase > completely useless. > When you say "dd over the first 1MB of the RAID partition", does that mean the RAID partition containing the keydisk, or the RAID partition storing the actual encrypted files? The recipe I put together for preparing the encrypted drive looks like this (executed by a custom built installer): === echo "Creating MBR partition on physical disk" fdisk -iy sd0 echo "Creating crypto disklabel" disklabel -E sd0 <<EOF z a b 2g a d 1m RAID a a RAID w q EOF echo "Creating crypto softraid with keydisk" bioctl -c C -l /dev/sd0a -k /dev/sd0d softraid0 echo "Creating device node for sd1" cd /dev sh MAKEDEV sd1 echo "Zeroing out first MB of softraid device" dd if=/dev/zero of=/dev/rsd1c bs=1m count=1 sleep 5 === So basically the system ends up with a tiny /dev/sd0d used as a keydisk, and a /dev/sd0a for the remaining size of the disk, both of type RAID. The disk "wiping" is currently performed by overwriting sd0d with dd. Am I to understand overwriting the first 1MB of /dev/sd0a would be preferred? Finally, if instead using the bioctl force path of clearing out the secrets, would that mean (based on the scripted command above) that the correct invocation would be: === # bioctl -C force -c C -l /dev/sd0a -k /dev/sd0d softraid0 === > Also, keep in mind that anyone who has root access on > these machines has the ability to copy the key disk, the softraid metadata > with the encrypted disk keys and even the unencrypted disk encryption keys > once they're in memory... Of course. This is not to protect against ourselves, but to go from full production to "have the plug pulled and the hardware returned to the owner" in a matter of minutes. I fully understand the data is still readable by anyone who has managed to get hold of the keys. It is the tradeoff of not having time for even a single pass of dd of the main partition. -- Patrik Lundin
