WIP: refactor to use memguard for secure memory handling

- Add memguard dependency - Update ReadPassphrase to return LockedBuffer - Update EncryptWithPassphrase/DecryptWithPassphrase to accept LockedBuffer - Remove string wrapper functions - Update all callers to create LockedBuffers at entry points - Update interfaces and mock implementations
2025-07-15 07:22:41 +02:00
parent f9938135c6
commit c9774e89e0
18 changed files with 194 additions and 65 deletions
--- a/internal/vault/unlockers.go
+++ b/internal/vault/unlockers.go
@@ -10,6 +10,7 @@ import (

 	"filippo.io/age"
 	"git.eeqj.de/sneak/secret/internal/secret"
+	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 )

@@ -316,7 +317,8 @@ func (v *Vault) SelectUnlocker(unlockerID string) error {
 }

 // CreatePassphraseUnlocker creates a new passphrase-protected unlocker
-func (v *Vault) CreatePassphraseUnlocker(passphrase string) (*secret.PassphraseUnlocker, error) {
+// The passphrase must be provided as a LockedBuffer for security
+func (v *Vault) CreatePassphraseUnlocker(passphrase *memguard.LockedBuffer) (*secret.PassphraseUnlocker, error) {
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get vault directory: %w", err)
@@ -343,8 +345,11 @@ func (v *Vault) CreatePassphraseUnlocker(passphrase string) (*secret.PassphraseU
 	}

 	// Encrypt private key with passphrase
-	privKeyData := []byte(unlockerIdentity.String())
-	encryptedPrivKey, err := secret.EncryptWithPassphrase(privKeyData, passphrase)
+	privKeyStr := unlockerIdentity.String()
+	privKeyBuffer := memguard.NewBufferFromBytes([]byte(privKeyStr))
+	defer privKeyBuffer.Destroy()
+
+	encryptedPrivKey, err := secret.EncryptWithPassphrase(privKeyBuffer.Bytes(), passphrase)
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt unlocker private key: %w", err)
 	}
--- a/internal/vault/vault_test.go
+++ b/internal/vault/vault_test.go
@@ -6,6 +6,7 @@ import (

 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
+	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 )

@@ -172,7 +173,9 @@ func TestVaultOperations(t *testing.T) {
 		}

 		// Create a passphrase unlocker
-		passphraseUnlocker, err := vlt.CreatePassphraseUnlocker("test-passphrase")
+		passphraseBuffer := memguard.NewBufferFromBytes([]byte("test-passphrase"))
+		defer passphraseBuffer.Destroy()
+		passphraseUnlocker, err := vlt.CreatePassphraseUnlocker(passphraseBuffer)
 		if err != nil {
 			t.Fatalf("Failed to create passphrase unlocker: %v", err)
 		}