From cdcbe93dc2b148f4c9f07cbf1395d044def4efb0 Mon Sep 17 00:00:00 2001
From: Christopher Hoffman <choffman@redhat.com>
Date: Thu, 1 Aug 2024 14:12:15 +0000
Subject: [PATCH] client/FSCrypt: securely erase crypto key

Fixes: https://tracker.ceph.com/issues/64136
Signed-off-by: Christopher Hoffman <choffman@redhat.com>
---
 src/client/FSCrypt.cc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/client/FSCrypt.cc b/src/client/FSCrypt.cc
index 9eae8b93b56e1..7cc6ec8172328 100644
--- a/src/client/FSCrypt.cc
+++ b/src/client/FSCrypt.cc
@@ -361,6 +361,9 @@ void FSCryptContext::generate_new_nonce()
 void FSCryptKeyHandler::reset(int64_t _epoch, FSCryptKeyRef k)
 {
   std::unique_lock wl{lock};
+
+  // clear any previous crypto key with overwrite of 0s
+  key->get_key().zero();
   epoch = _epoch;
   key = k;
 }
-- 
2.39.5