client/FSCrypt: securely erase crypto key

Fixes: https://tracker.ceph.com/issues/64136
Signed-off-by: Christopher Hoffman <choffman@redhat.com>

diff --git a/src/client/FSCrypt.cc b/src/client/FSCrypt.cc
index 9eae8b93b56e10209bf884ab20765dd771226408..7cc6ec817232876c274f95de2507b318c4d4d69b 100644 (file)
--- a/src/client/FSCrypt.cc
+++ b/src/client/FSCrypt.cc
@@ -361,6 +361,9 @@ void FSCryptContext::generate_new_nonce()
 void FSCryptKeyHandler::reset(int64_t _epoch, FSCryptKeyRef k)
 {
   std::unique_lock wl{lock};
+
+  // clear any previous crypto key with overwrite of 0s
+  key->get_key().zero();
   epoch = _epoch;
   key = k;
 }