uses protected memory buffers now for all secrets in ram

2025-07-15 08:32:33 +02:00
parent d3ca006886
commit 7596049828
22 changed files with 786 additions and 133 deletions
--- a/internal/cli/generate.go
+++ b/internal/cli/generate.go
@@ -7,6 +7,7 @@ import (
 	"os"

 	"git.eeqj.de/sneak/secret/internal/vault"
+	"github.com/awnumar/memguard"
 	"github.com/spf13/cobra"
 	"github.com/tyler-smith/go-bip39"
 )
@@ -136,7 +137,11 @@ func (cli *Instance) GenerateSecret(
 		return err
 	}

-	if err := vlt.AddSecret(secretName, []byte(secretValue), force); err != nil {
+	// Protect the generated secret immediately
+	secretBuffer := memguard.NewBufferFromBytes([]byte(secretValue))
+	defer secretBuffer.Destroy()
+
+	if err := vlt.AddSecret(secretName, secretBuffer, force); err != nil {
 		return err
 	}