uses protected memory buffers now for all secrets in ram

internal/cli/init.go

@@ -166,8 +166,11 @@ func (cli *Instance) Init(cmd *cobra.Command) error {
 	}
 
 	// Encrypt long-term private key to unlocker
-	ltPrivKeyData := []byte(ltIdentity.String())
-	encryptedLtPrivKey, err := secret.EncryptToRecipient(ltPrivKeyData, unlockerRecipient)
+	// Use memguard to protect the private key in memory
+	ltPrivKeyBuffer := memguard.NewBufferFromBytes([]byte(ltIdentity.String()))
+	defer ltPrivKeyBuffer.Destroy()
+
+	encryptedLtPrivKey, err := secret.EncryptToRecipient(ltPrivKeyBuffer, unlockerRecipient)
 	if err != nil {
 		return fmt.Errorf("failed to encrypt long-term private key: %w", err)
 	}