Fix DecryptWithIdentity to return LockedBuffer

- Changed DecryptWithIdentity to return *memguard.LockedBuffer instead of []byte
- Updated all callers throughout the codebase to handle LockedBuffer
- This ensures decrypted data is protected in memory immediately after decryption
- Fixed all usages in vault, secret, version, and unlocker implementations
- Removed duplicate buffer creation and unnecessary memory clearing

internal/secret/passphraseunlocker.go

@@ -84,30 +84,22 @@ func (p *PassphraseUnlocker) GetIdentity() (*age.X25519Identity, error) {
 	Debug("Decrypting unlocker private key with passphrase", "unlocker_id", p.GetID())
 
 	// Decrypt the unlocker private key with passphrase
-	privKeyData, err := DecryptWithPassphrase(encryptedPrivKeyData, passphraseBuffer)
+	privKeyBuffer, err := DecryptWithPassphrase(encryptedPrivKeyData, passphraseBuffer)
 	if err != nil {
 		Debug("Failed to decrypt unlocker private key", "error", err, "unlocker_id", p.GetID())
 
 		return nil, fmt.Errorf("failed to decrypt unlocker private key: %w", err)
 	}
+	defer privKeyBuffer.Destroy()
 
 	DebugWith("Successfully decrypted unlocker private key",
 		slog.String("unlocker_id", p.GetID()),
-		slog.Int("decrypted_length", len(privKeyData)),
+		slog.Int("decrypted_length", privKeyBuffer.Size()),
 	)
 
 	// Parse the decrypted private key
 	Debug("Parsing decrypted unlocker identity", "unlocker_id", p.GetID())
 
-	// Create a secure buffer for the private key data
-	privKeyBuffer := memguard.NewBufferFromBytes(privKeyData)
-	defer privKeyBuffer.Destroy()
-
-	// Clear the original private key data
-	for i := range privKeyData {
-		privKeyData[i] = 0
-	}
-
 	identity, err := age.ParseX25519Identity(privKeyBuffer.String())
 	if err != nil {
 		Debug("Failed to parse unlocker private key", "error", err, "unlocker_id", p.GetID())