Fix DecryptWithIdentity to return LockedBuffer

- Changed DecryptWithIdentity to return *memguard.LockedBuffer instead of []byte
- Updated all callers throughout the codebase to handle LockedBuffer
- This ensures decrypted data is protected in memory immediately after decryption
- Fixed all usages in vault, secret, version, and unlocker implementations
- Removed duplicate buffer creation and unnecessary memory clearing

internal/secret/crypto.go

@@ -54,7 +54,7 @@ func EncryptToRecipient(data *memguard.LockedBuffer, recipient age.Recipient) ([
 }
 
 // DecryptWithIdentity decrypts data with an identity using age
-func DecryptWithIdentity(data []byte, identity age.Identity) ([]byte, error) {
+func DecryptWithIdentity(data []byte, identity age.Identity) (*memguard.LockedBuffer, error) {
 	r, err := age.Decrypt(bytes.NewReader(data), identity)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create decryptor: %w", err)
@@ -65,7 +65,10 @@ func DecryptWithIdentity(data []byte, identity age.Identity) ([]byte, error) {
 		return nil, fmt.Errorf("failed to read decrypted data: %w", err)
 	}
 
-	return result, nil
+	// Create a secure buffer for the decrypted data
+	resultBuffer := memguard.NewBufferFromBytes(result)
+
+	return resultBuffer, nil
 }
 
 // EncryptWithPassphrase encrypts data using a passphrase with age's scrypt-based encryption
@@ -90,7 +93,7 @@ func EncryptWithPassphrase(data *memguard.LockedBuffer, passphrase *memguard.Loc
 
 // DecryptWithPassphrase decrypts data using a passphrase with age's scrypt-based decryption
 // The passphrase parameter should be a LockedBuffer for secure memory handling
-func DecryptWithPassphrase(encryptedData []byte, passphrase *memguard.LockedBuffer) ([]byte, error) {
+func DecryptWithPassphrase(encryptedData []byte, passphrase *memguard.LockedBuffer) (*memguard.LockedBuffer, error) {
 	if passphrase == nil {
 		return nil, fmt.Errorf("passphrase buffer is nil")
 	}