From: Christopher Hoffman <choffman@redhat.com>
Date: Thu, 1 Aug 2024 14:12:15 +0000 (+0000)
Subject: client/FSCrypt: securely erase crypto key
X-Git-Tag: testing/wip-vshankar-testing-20260120.085915-debug^2~13^2~108
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=cdcbe93dc2b148f4c9f07cbf1395d044def4efb0;p=ceph-ci.git

client/FSCrypt: securely erase crypto key

Fixes: https://tracker.ceph.com/issues/64136
Signed-off-by: Christopher Hoffman <choffman@redhat.com>
---

diff --git a/src/client/FSCrypt.cc b/src/client/FSCrypt.cc
index 9eae8b93b56..7cc6ec81723 100644
--- a/src/client/FSCrypt.cc
+++ b/src/client/FSCrypt.cc
@@ -361,6 +361,9 @@ void FSCryptContext::generate_new_nonce()
 void FSCryptKeyHandler::reset(int64_t _epoch, FSCryptKeyRef k)
 {
   std::unique_lock wl{lock};
+
+  // clear any previous crypto key with overwrite of 0s
+  key->get_key().zero();
   epoch = _epoch;
   key = k;
 }