Fix EncryptWithPassphrase to accept LockedBuffer for data parameter

- Changed EncryptWithPassphrase to accept *memguard.LockedBuffer instead of []byte - Updated all callers to pass LockedBuffer: - CreatePassphraseUnlocker in vault/unlockers.go - Keychain unlocker in keychainunlocker.go - Tests in passphrase_test.go - Removed intermediate dataBuffer creation since data is now already protected - This ensures sensitive data is protected in memory throughout encryption
2025-07-15 08:42:46 +02:00
parent e82d428b05
commit eef2332823
5 changed files with 13 additions and 12 deletions
--- a/internal/vault/unlockers.go
+++ b/internal/vault/unlockers.go
@@ -346,7 +346,9 @@ func (v *Vault) CreatePassphraseUnlocker(passphrase *memguard.LockedBuffer) (*se

 	// Encrypt private key with passphrase
 	privKeyStr := unlockerIdentity.String()
-	encryptedPrivKey, err := secret.EncryptWithPassphrase([]byte(privKeyStr), passphrase)
+	privKeyBuffer := memguard.NewBufferFromBytes([]byte(privKeyStr))
+	defer privKeyBuffer.Destroy()
+	encryptedPrivKey, err := secret.EncryptWithPassphrase(privKeyBuffer, passphrase)
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt unlocker private key: %w", err)
 	}