internal/secret/crypto.go

@@ -68,6 +68,11 @@ func DecryptWithIdentity(data []byte, identity age.Identity) (*memguard.LockedBu
 	// Create a secure buffer for the decrypted data
 	resultBuffer := memguard.NewBufferFromBytes(result)
 
+	// Zero out the original slice to prevent plaintext from lingering in unprotected memory
+	for i := range result {
+		result[i] = 0
+	}
+
 	return resultBuffer, nil
 }