uses protected memory buffers now for all secrets in ram

internal/secret/passphraseunlocker.go

@@ -36,7 +36,7 @@ func (p *PassphraseUnlocker) getPassphrase() (*memguard.LockedBuffer, error) {
 		Debug("Using passphrase from environment", "unlocker_id", p.GetID())
 		// Convert to secure buffer
 		secureBuffer := memguard.NewBufferFromBytes([]byte(passphraseStr))
-		
+
 		return secureBuffer, nil
 	}
 
@@ -45,7 +45,7 @@ func (p *PassphraseUnlocker) getPassphrase() (*memguard.LockedBuffer, error) {
 	secureBuffer, err := ReadPassphrase("Enter unlock passphrase: ")
 	if err != nil {
 		Debug("Failed to read passphrase", "error", err, "unlocker_id", p.GetID())
-		
+
 		return nil, fmt.Errorf("failed to read passphrase: %w", err)
 	}
 
@@ -173,7 +173,11 @@ func NewPassphraseUnlocker(fs afero.Fs, directory string, metadata UnlockerMetad
 
 // CreatePassphraseUnlocker creates a new passphrase-protected unlocker
 // The passphrase must be provided as a LockedBuffer for security
-func CreatePassphraseUnlocker(fs afero.Fs, stateDir string, passphrase *memguard.LockedBuffer) (*PassphraseUnlocker, error) {
+func CreatePassphraseUnlocker(
+	fs afero.Fs,
+	stateDir string,
+	passphrase *memguard.LockedBuffer,
+) (*PassphraseUnlocker, error) {
 	// Get current vault
 	currentVault, err := GetCurrentVault(fs, stateDir)
 	if err != nil {