wipe some keys

3 files changed, 9 insertions, 0 deletions

diff --git a/ydb/core/blobstorage/nodewarden/CMakeLists.txt b/ydb/core/blobstorage/nodewarden/CMakeLists.txt
index 33c640008da..402f786c4f9 100644
--- a/ydb/core/blobstorage/nodewarden/CMakeLists.txt
+++ b/ydb/core/blobstorage/nodewarden/CMakeLists.txt
@@ -14,6 +14,7 @@ target_link_libraries(core-blobstorage-nodewarden PUBLIC
   library-cpp-json
   ydb-core-base
   core-blob_depot-agent
+  core-blobstorage-crypto
   core-blobstorage-groupinfo
   core-blobstorage-pdisk
   ydb-core-control
diff --git a/ydb/core/blobstorage/nodewarden/node_warden_impl.cpp b/ydb/core/blobstorage/nodewarden/node_warden_impl.cpp
index f681fb7beda..02586ae4506 100644
--- a/ydb/core/blobstorage/nodewarden/node_warden_impl.cpp
+++ b/ydb/core/blobstorage/nodewarden/node_warden_impl.cpp
@@ -1,5 +1,6 @@
 #include "node_warden_impl.h"
 
+#include <ydb/core/blobstorage/crypto/secured_block.h>
 #include <ydb/core/blobstorage/pdisk/drivedata_serializer.h>
 #include <ydb/library/pdisk_io/file_params.h>
 
@@ -471,6 +472,9 @@ bool ObtainKey(TEncryptionKey *key, const NKikimrProto::TKeyRecord& record) {
 
     key->Version = version;
     key->Id = keyId;
+
+    SecureWipeBuffer((ui8*)data.Detach(), data.size());
+
     return true;
 }
 
diff --git a/ydb/core/blobstorage/pdisk/blobstorage_pdisk_actor.cpp b/ydb/core/blobstorage/pdisk/blobstorage_pdisk_actor.cpp
index f8a6e679a75..ec4ff196815 100644
--- a/ydb/core/blobstorage/pdisk/blobstorage_pdisk_actor.cpp
+++ b/ydb/core/blobstorage/pdisk/blobstorage_pdisk_actor.cpp
@@ -205,6 +205,10 @@ public:
     {
     }
 
+    ~TPDiskActor() {
+        SecureWipeBuffer((ui8*)&MainKey, sizeof(MainKey));
+    }
+
     ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
     // Actor handlers
     ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////