track go/issues/21865: package to wipe/zero secrets.

[komuw]

At this place;

ong/enc/enc.go

Line 91 in 2c4db06

we should zero(from memory) the derivedKey

func zero(key []byte) {
	if key == nil {
		return
	}

	for i := 0; i < len(key)+1; i++ {
		key[i] ^= key[i]
	}
}

or

// from: https://github.com/WireGuard/wireguard-go/blob/b51010ba13f0a3e59808fbdb1566cd2c6b834b95/device/noise-helpers.go#L72-L77
/* This function is not used as pervasively as it should because this is mostly impossible in Go at the moment */
func setZero(arr []byte) {
	for i := range arr {
		arr[i] = 0
	}
}

Note that golang/go#21865 has been accepted with the API at golang/go#21865 (comment), we should use that API when it becomes available.

[komuw]

check what cryptographers recommend.

[komuw]

see: golang/go#21865

[komuw]

also: https://github.com/awnumar/memguard

[komuw]

see this implementation; https://github.com/rfjakob/gocryptfs/blob/5ad9bda206e476fea866907e2f0545257f74e1f0/internal/cryptocore/cryptocore.go#L152-L173 and its use; https://github.com/rfjakob/gocryptfs/blob/5ad9bda206e476fea866907e2f0545257f74e1f0/mount.go#L131
and also its related issue: rfjakob/gocryptfs#211

[komuw]

you can zero on GC right now with a finalizer:

type Secret struct {
    key [16]byte
}

s := &Secret{key: ...}
runtime.SetFinalizer(s, func(s *Secret) { s.key = [16]byte{} })

runtime.GC()

from golang/go#21865 (comment)

[komuw]

Maybe we should not even do this at all. It sounds like security theatre without the security.
See:

• runtime/secret: add new package golang/go#21865 (comment)
• https://twitter.com/FiloSottile/status/1122598383607341057
• add basically the whole thread in runtime/secret: add new package golang/go#21865

[komuw]

#127 was too much work and we don't know if it is even working.
We'll instead wait for golang/go#21865

This ticket now tracks that one.