Fix DecryptWithIdentity to return LockedBuffer

- Changed DecryptWithIdentity to return *memguard.LockedBuffer instead of []byte - Updated all callers throughout the codebase to handle LockedBuffer - This ensures decrypted data is protected in memory immediately after decryption - Fixed all usages in vault, secret, version, and unlocker implementations - Removed duplicate buffer creation and unnecessary memory clearing
2025-07-15 09:04:34 +02:00
parent 8ec3fc877d
commit 63cc06b93c
8 changed files with 37 additions and 47 deletions
--- a/internal/vault/secrets.go
+++ b/internal/vault/secrets.go
@@ -259,13 +259,14 @@ func updateVersionMetadata(fs afero.Fs, version *secret.Version, ltIdentity *age
 	}

 	// Decrypt version private key using long-term key
-	versionPrivKeyData, err := secret.DecryptWithIdentity(encryptedPrivKey, ltIdentity)
+	versionPrivKeyBuffer, err := secret.DecryptWithIdentity(encryptedPrivKey, ltIdentity)
 	if err != nil {
 		return fmt.Errorf("failed to decrypt version private key: %w", err)
 	}
+	defer versionPrivKeyBuffer.Destroy()

 	// Parse version private key
-	versionIdentity, err := age.ParseX25519Identity(string(versionPrivKeyData))
+	versionIdentity, err := age.ParseX25519Identity(versionPrivKeyBuffer.String())
 	if err != nil {
 		return fmt.Errorf("failed to parse version private key: %w", err)
 	}