sneak/secret
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

WIP: refactor to use memguard for secure memory handling

Browse Source 
- Add memguard dependency
- Update ReadPassphrase to return LockedBuffer
- Update EncryptWithPassphrase/DecryptWithPassphrase to accept LockedBuffer
- Remove string wrapper functions
- Update all callers to create LockedBuffers at entry points
- Update interfaces and mock implementations
This commit is contained in:
Jeffrey Paul
2025-07-15 07:22:41 +02:00
parent f9938135c6
commit c9774e89e0
18 changed files with 194 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
internal/cli/crypto.go
View File

@@ -8,6 +8,7 @@ import (
"filippo.io/age"
"git.eeqj.de/sneak/secret/internal/secret"
"git.eeqj.de/sneak/secret/internal/vault"
"github.com/awnumar/memguard"
"github.com/spf13/cobra"
)
@@ -83,8 +84,11 @@ func (cli *Instance) Encrypt(secretName, inputFile, outputFile string) error {
ageSecretKey = identity.String()
// Store the generated key as a secret
err = vlt.AddSecret(secretName, []byte(ageSecretKey), false)
// Store the generated key as a secret using secure buffer
secureBuffer := memguard.NewBufferFromBytes([]byte(ageSecretKey))
defer secureBuffer.Destroy()
err = vlt.AddSecret(secretName, secureBuffer.Bytes(), false)
if err != nil {
return fmt.Errorf("failed to store age key: %w", err)
}
@@ -95,7 +99,16 @@ func (cli *Instance) Encrypt(secretName, inputFile, outputFile string) error {
return fmt.Errorf("failed to get secret value: %w", err)
}
ageSecretKey = string(secretValue)
// Create secure buffer for the secret value
secureBuffer := memguard.NewBufferFromBytes(secretValue)
defer secureBuffer.Destroy()
// Clear the original secret value
for i := range secretValue {
secretValue[i] = 0
}
ageSecretKey = secureBuffer.String()
// Validate that it's a valid age secret key
if !isValidAgeSecretKey(ageSecretKey) {
@@ -103,8 +116,11 @@ func (cli *Instance) Encrypt(secretName, inputFile, outputFile string) error {
}
}
// Parse the secret key
identity, err := age.ParseX25519Identity(ageSecretKey)
// Parse the secret key using secure buffer
finalSecureBuffer := memguard.NewBufferFromBytes([]byte(ageSecretKey))
defer finalSecureBuffer.Destroy()
identity, err := age.ParseX25519Identity(finalSecureBuffer.String())
if err != nil {
return fmt.Errorf("failed to parse age secret key: %w", err)
}
@@ -185,15 +201,22 @@ func (cli *Instance) Decrypt(secretName, inputFile, outputFile string) error {
return fmt.Errorf("failed to get secret value: %w", err)
}
ageSecretKey := string(secretValue)
// Create secure buffer for the secret value
secureBuffer := memguard.NewBufferFromBytes(secretValue)
defer secureBuffer.Destroy()
// Clear the original secret value
for i := range secretValue {
secretValue[i] = 0
}
// Validate that it's a valid age secret key
if !isValidAgeSecretKey(ageSecretKey) {
if !isValidAgeSecretKey(secureBuffer.String()) {
return fmt.Errorf("secret '%s' does not contain a valid age secret key", secretName)
}
// Parse the age secret key to get the identity
identity, err := age.ParseX25519Identity(ageSecretKey)
identity, err := age.ParseX25519Identity(secureBuffer.String())
if err != nil {
return fmt.Errorf("failed to parse age secret key: %w", err)
}