uses protected memory buffers now for all secrets in ram

2025-07-15 08:32:33 +02:00
parent d3ca006886
commit 7596049828
22 changed files with 786 additions and 133 deletions
--- a/internal/cli/crypto.go
+++ b/internal/cli/crypto.go
@@ -82,13 +82,15 @@ func (cli *Instance) Encrypt(secretName, inputFile, outputFile string) error {
 			return fmt.Errorf("failed to generate age key: %w", err)
 		}

-		ageSecretKey = identity.String()
-
-		// Store the generated key as a secret using secure buffer
-		secureBuffer := memguard.NewBufferFromBytes([]byte(ageSecretKey))
+		// Store the generated key directly in a secure buffer
+		identityStr := identity.String()
+		secureBuffer := memguard.NewBufferFromBytes([]byte(identityStr))
 		defer secureBuffer.Destroy()

-		err = vlt.AddSecret(secretName, secureBuffer.Bytes(), false)
+		// Set ageSecretKey for later use (we need it for encryption)
+		ageSecretKey = identityStr
+
+		err = vlt.AddSecret(secretName, secureBuffer, false)
 		if err != nil {
 			return fmt.Errorf("failed to store age key: %w", err)
 		}