Fix DecryptWithIdentity to return LockedBuffer

- Changed DecryptWithIdentity to return *memguard.LockedBuffer instead of []byte - Updated all callers throughout the codebase to handle LockedBuffer - This ensures decrypted data is protected in memory immediately after decryption - Fixed all usages in vault, secret, version, and unlocker implementations - Removed duplicate buffer creation and unnecessary memory clearing
2025-07-15 09:04:34 +02:00
parent 8ec3fc877d
commit 63cc06b93c
8 changed files with 37 additions and 47 deletions
--- a/internal/vault/secrets.go
+++ b/internal/vault/secrets.go
@@ -259,13 +259,14 @@ func updateVersionMetadata(fs afero.Fs, version *secret.Version, ltIdentity *age
 	}

 	// Decrypt version private key using long-term key
-	versionPrivKeyData, err := secret.DecryptWithIdentity(encryptedPrivKey, ltIdentity)
+	versionPrivKeyBuffer, err := secret.DecryptWithIdentity(encryptedPrivKey, ltIdentity)
 	if err != nil {
 		return fmt.Errorf("failed to decrypt version private key: %w", err)
 	}
+	defer versionPrivKeyBuffer.Destroy()

 	// Parse version private key
-	versionIdentity, err := age.ParseX25519Identity(string(versionPrivKeyData))
+	versionIdentity, err := age.ParseX25519Identity(versionPrivKeyBuffer.String())
 	if err != nil {
 		return fmt.Errorf("failed to parse version private key: %w", err)
 	}
--- a/internal/vault/vault.go
+++ b/internal/vault/vault.go
@@ -157,22 +157,23 @@ func (v *Vault) GetOrDeriveLongTermKey() (*age.X25519Identity, error) {

 	// Decrypt long-term private key using unlocker
 	secret.Debug("Decrypting long-term private key with unlocker", "unlocker_type", unlocker.GetType())
-	ltPrivKeyData, err := secret.DecryptWithIdentity(encryptedLtPrivKey, unlockerIdentity)
+	ltPrivKeyBuffer, err := secret.DecryptWithIdentity(encryptedLtPrivKey, unlockerIdentity)
 	if err != nil {
 		secret.Debug("Failed to decrypt long-term private key", "error", err, "unlocker_type", unlocker.GetType())

 		return nil, fmt.Errorf("failed to decrypt long-term private key: %w", err)
 	}
+	defer ltPrivKeyBuffer.Destroy()

 	secret.DebugWith("Successfully decrypted long-term private key",
 		slog.String("vault_name", v.Name),
 		slog.String("unlocker_type", unlocker.GetType()),
-		slog.Int("decrypted_length", len(ltPrivKeyData)),
+		slog.Int("decrypted_length", ltPrivKeyBuffer.Size()),
 	)

 	// Parse long-term private key
 	secret.Debug("Parsing long-term private key", "vault_name", v.Name)
-	ltIdentity, err := age.ParseX25519Identity(string(ltPrivKeyData))
+	ltIdentity, err := age.ParseX25519Identity(ltPrivKeyBuffer.String())
 	if err != nil {
 		secret.Debug("Failed to parse long-term private key", "error", err, "vault_name", v.Name)