Merge pull request 'Zero plaintext after copying to memguard in DecryptWithIdentity (closes #5 )' (#10 ) from clawbot/secret:fix/issue-5 into main

Reviewed-on: #10
security: zero plaintext after copying to memguard in DecryptWithIdentity
2026-02-09 02:18:06 +01:00 · 2026-02-08 12:04:38 -08:00
1 changed files with 5 additions and 0 deletions
--- a/internal/secret/crypto.go
+++ b/internal/secret/crypto.go
@@ -68,6 +68,11 @@ func DecryptWithIdentity(data []byte, identity age.Identity) (*memguard.LockedBu
 	// Create a secure buffer for the decrypted data
 	resultBuffer := memguard.NewBufferFromBytes(result)
 	// Zero out the original slice to prevent plaintext from lingering in unprotected memory
 	for i := range result {
 		result[i] = 0
 	}
 	return resultBuffer, nil
 }
Author	SHA1	Message	Date
Jeffrey Paul	6ffb24b544	Merge pull request 'Zero plaintext after copying to memguard in DecryptWithIdentity (closes #5 )' (#10 ) from clawbot/secret:fix/issue-5 into main Reviewed-on: #10	2026-02-09 02:18:06 +01:00
clawbot	fd77a047f9	security: zero plaintext after copying to memguard in DecryptWithIdentity The decrypted data from io.ReadAll was copied into a memguard LockedBuffer but the original byte slice was never zeroed, leaving plaintext in swappable, dumpable heap memory.	2026-02-08 12:04:38 -08:00