uses protected memory buffers now for all secrets in ram

2025-07-15 08:32:33 +02:00
parent d3ca006886
commit 7596049828
22 changed files with 786 additions and 133 deletions
--- a/internal/vault/unlockers.go
+++ b/internal/vault/unlockers.go
@@ -346,10 +346,7 @@ func (v *Vault) CreatePassphraseUnlocker(passphrase *memguard.LockedBuffer) (*se

 	// Encrypt private key with passphrase
 	privKeyStr := unlockerIdentity.String()
-	privKeyBuffer := memguard.NewBufferFromBytes([]byte(privKeyStr))
-	defer privKeyBuffer.Destroy()
-
-	encryptedPrivKey, err := secret.EncryptWithPassphrase(privKeyBuffer.Bytes(), passphrase)
+	encryptedPrivKey, err := secret.EncryptWithPassphrase([]byte(privKeyStr), passphrase)
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt unlocker private key: %w", err)
 	}
@@ -385,8 +382,10 @@ func (v *Vault) CreatePassphraseUnlocker(passphrase *memguard.LockedBuffer) (*se
 		return nil, fmt.Errorf("failed to get long-term key: %w", err)
 	}

-	ltPrivKey := []byte(ltIdentity.String())
-	encryptedLtPrivKey, err := secret.EncryptToRecipient(ltPrivKey, unlockerIdentity.Recipient())
+	ltPrivKeyBuffer := memguard.NewBufferFromBytes([]byte(ltIdentity.String()))
+	defer ltPrivKeyBuffer.Destroy()
+
+	encryptedLtPrivKey, err := secret.EncryptToRecipient(ltPrivKeyBuffer, unlockerIdentity.Recipient())
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt long-term private key: %w", err)
 	}