0

I was planning on passing encryption keys to zfs load-key pool/set through stdin. The keys passed are generated by another program in HEX format and dataset is configured to have keylocation=prompt, keyformat=hex so the key can be passed through stdin like this: someprogram | zfs load-key pool/set.

Now I'm concerned that is it possible that the shell writes this passed key data somewhere on the disk even though I really do not want this to happen? If the key is written to disk somewhere in the process of piping the STDOUT to STDIN then it can possibly be recovered as the main os disk is not encrypted itself.

  • 1
    Pipes are implemented as connecting the left-hand-side's stdout to the right-hand-side's stdin. The disk is not involved (to the best of my knowledge) – glenn jackman Jul 28 '20 at 16:28

1 Answers1

3

Pipes (or the temporary file system and named FIFO pipes) do seem to write to disk not directly, as commented by Glenn Jackman above, here and here, respectively.

But writing of sensitive data might occur indirectly with memory swapping (or hibernation), possibly even more unexpectedly than with the user knowing to check for undeleted unencrypted files - unless encrypted or disabled.

Martin
  • 146
  • 3