uses protected memory buffers now for all secrets in ram

internal/secret/crypto.go

@@ -13,8 +13,13 @@ import (
 )
 
 // EncryptToRecipient encrypts data to a recipient using age
-func EncryptToRecipient(data []byte, recipient age.Recipient) ([]byte, error) {
-	Debug("EncryptToRecipient starting", "data_length", len(data))
+// The data parameter should be a LockedBuffer for secure memory handling
+func EncryptToRecipient(data *memguard.LockedBuffer, recipient age.Recipient) ([]byte, error) {
+	if data == nil {
+		return nil, fmt.Errorf("data buffer is nil")
+	}
+
+	Debug("EncryptToRecipient starting", "data_length", data.Size())
 
 	var buf bytes.Buffer
 	Debug("Creating age encryptor")
@@ -27,7 +32,7 @@ func EncryptToRecipient(data []byte, recipient age.Recipient) ([]byte, error) {
 	Debug("Created age encryptor successfully")
 
 	Debug("Writing data to encryptor")
-	if _, err := w.Write(data); err != nil {
+	if _, err := w.Write(data.Bytes()); err != nil {
 		Debug("Failed to write data to encryptor", "error", err)
 
 		return nil, fmt.Errorf("failed to write data: %w", err)
@@ -77,7 +82,11 @@ func EncryptWithPassphrase(data []byte, passphrase *memguard.LockedBuffer) ([]by
 		return nil, fmt.Errorf("failed to create scrypt recipient: %w", err)
 	}
 
-	return EncryptToRecipient(data, recipient)
+	// Create a secure buffer for the data
+	dataBuffer := memguard.NewBufferFromBytes(data)
+	defer dataBuffer.Destroy()
+
+	return EncryptToRecipient(dataBuffer, recipient)
 }
 
 // DecryptWithPassphrase decrypts data using a passphrase with age's scrypt-based decryption
@@ -138,4 +147,3 @@ func ReadPassphrase(prompt string) (*memguard.LockedBuffer, error) {
 
 	return secureBuffer, nil
 }
-