Fix EncryptWithPassphrase to accept LockedBuffer for data parameter

- Changed EncryptWithPassphrase to accept *memguard.LockedBuffer instead of []byte
- Updated all callers to pass LockedBuffer:
  - CreatePassphraseUnlocker in vault/unlockers.go
  - Keychain unlocker in keychainunlocker.go
  - Tests in passphrase_test.go
- Removed intermediate dataBuffer creation since data is now already protected
- This ensures sensitive data is protected in memory throughout encryption

internal/secret/crypto.go

@@ -69,8 +69,11 @@ func DecryptWithIdentity(data []byte, identity age.Identity) ([]byte, error) {
 }
 
 // EncryptWithPassphrase encrypts data using a passphrase with age's scrypt-based encryption
-// The passphrase parameter should be a LockedBuffer for secure memory handling
-func EncryptWithPassphrase(data []byte, passphrase *memguard.LockedBuffer) ([]byte, error) {
+// Both data and passphrase parameters should be LockedBuffers for secure memory handling
+func EncryptWithPassphrase(data *memguard.LockedBuffer, passphrase *memguard.LockedBuffer) ([]byte, error) {
+	if data == nil {
+		return nil, fmt.Errorf("data buffer is nil")
+	}
 	if passphrase == nil {
 		return nil, fmt.Errorf("passphrase buffer is nil")
 	}
@@ -82,11 +85,7 @@ func EncryptWithPassphrase(data []byte, passphrase *memguard.LockedBuffer) ([]by
 		return nil, fmt.Errorf("failed to create scrypt recipient: %w", err)
 	}
 
-	// Create a secure buffer for the data
-	dataBuffer := memguard.NewBufferFromBytes(data)
-	defer dataBuffer.Destroy()
-
-	return EncryptToRecipient(dataBuffer, recipient)
+	return EncryptToRecipient(data, recipient)
 }
 
 // DecryptWithPassphrase decrypts data using a passphrase with age's scrypt-based decryption