scurrier
Patron
- Joined
- Jan 2, 2014
- Messages
- 297
I have a pool I wanted to use for backup. The root dataset was encrypted but I accidentally didn't encrypt the child data sets under it because of not understanding how replication works. So, I needed to wipe the disk and start over, because it had unencrypted data written to it which could not be guaranteed to be overwritten upon recreation.
I exported a pool and selected the option to destroy the data. As expected, I was prompted to type the pool name to confirm. Upon execution, the pool was exported, several steps flew by and one of them was about destroying the data. On the destroying data step, the overall progress bar showed 80%. I wondered how long it was going to show the dialog while it wiped the data. The pool had several terabytes so it would definitely take hours. Then, mere seconds after starting the whole operation started, it appeared to finish and stated "Successfully exported/disconnected '<poolname>'. All data on that pool was destroyed."
Uhm, I doubt it. If the data on the disk had all been encrypted, I think this could be valid because destroying the encryption key is practically equivalent to destroying the data, so it could be completed in a very short time. But this disk had terabytes of unencrypted datasets under the root pool dataset. So there's no way it wiped it all in seconds.
I am going to wipe the disk manually, but I thought I'd post on the forums to see if I am missing anything obvious. Otherwise, it seems clear that this is a bug, maybe one where the devs didn't handle the case of unencrypted datasets under an encrypted pool dataset.
It should go without saying that assuring the user that data was destroyed when it actually wasn't is a big security issue.
I exported a pool and selected the option to destroy the data. As expected, I was prompted to type the pool name to confirm. Upon execution, the pool was exported, several steps flew by and one of them was about destroying the data. On the destroying data step, the overall progress bar showed 80%. I wondered how long it was going to show the dialog while it wiped the data. The pool had several terabytes so it would definitely take hours. Then, mere seconds after starting the whole operation started, it appeared to finish and stated "Successfully exported/disconnected '<poolname>'. All data on that pool was destroyed."
Uhm, I doubt it. If the data on the disk had all been encrypted, I think this could be valid because destroying the encryption key is practically equivalent to destroying the data, so it could be completed in a very short time. But this disk had terabytes of unencrypted datasets under the root pool dataset. So there's no way it wiped it all in seconds.
I am going to wipe the disk manually, but I thought I'd post on the forums to see if I am missing anything obvious. Otherwise, it seems clear that this is a bug, maybe one where the devs didn't handle the case of unencrypted datasets under an encrypted pool dataset.
It should go without saying that assuring the user that data was destroyed when it actually wasn't is a big security issue.