fix(storage): fsync the vault secure-delete overwrite

removeVault() overwrote vault.dat with zeros then unlinked it, but never flushed to stable storage, so the zeros could stay in the OS cache and never reach disk. flush + fsync before unlink on POSIX (still best-effort on CoW/SSD, but now does what it claims). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-07 14:25:44 -05:00
parent fc438ab962
commit 3cec333d84
1 changed files with 14 additions and 0 deletions
--- a/src/util/secure_vault.cpp
+++ b/src/util/secure_vault.cpp
@@ -13,6 +13,11 @@
 #include <algorithm>
 #include "../util/logger.h"

+#ifndef _WIN32
+#include <fcntl.h>
+#include <unistd.h>
+#endif
+
 namespace fs = std::filesystem;

 namespace dragonx {
@@ -232,6 +237,15 @@ bool SecureVault::removeVault() {
                std::ofstream zap(vaultPath, std::ios::binary);
                if (zap.is_open()) {
                    zap.write(reinterpret_cast<const char*>(zeros.data()), sz);
+                    zap.flush();
+                    zap.close();
+                    // Force the zeros to stable storage before unlinking — otherwise the
+                    // write may never leave the OS cache (best-effort; not a guarantee on
+                    // CoW/journaling filesystems or wear-leveling SSDs).
+#ifndef _WIN32
+                    int fd = ::open(vaultPath.c_str(), O_WRONLY);
+                    if (fd >= 0) { ::fsync(fd); ::close(fd); }
+#endif
                }
            }
        }