1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
//! Memory security utilities.
//!
//! This module provides functions for securely erasing sensitive data from memory,
//! ensuring that secrets are not left behind after use. It wraps the [`zeroize`]
//! crate to guarantee that overwrites are not optimized away by the compiler.
use Zeroize;
/// Overwrites a byte buffer with zeros, preventing sensitive data from lingering
/// in memory.
///
/// This is a thin wrapper around the [`Zeroize`] trait from the `zeroize` crate.
/// It guarantees that the memory will be cleared even if the compiler would
/// otherwise optimize away a simple assignment (e.g., a `memset` call that appears
/// dead).
///
/// # Why is this important?
///
/// When secret keys, passwords, or other sensitive data are no longer needed, they
/// should be explicitly erased from memory. Otherwise, they might remain in
/// freed memory pages, swap space, or core dumps, where they could be recovered
/// by an attacker.
///
/// # Example
///
/// ```rust
/// use age_setup::security::wipe_memory;
///
/// let mut secret = vec![0x41, 0x42, 0x43]; // "ABC"
/// wipe_memory(&mut secret);
/// assert_eq!(secret, vec![0, 0, 0]);
/// ```
///
/// # How it works
///
/// The `zeroize` crate implements the [`Zeroize`] trait for `u8` slices. When
/// called, it writes zeros to every element, using a volatile write to prevent
/// the compiler from optimizing the operation away. After this function returns,
/// the original data is irreversibly gone from that mutable slice.
///
/// # Safety
///
/// This function is memory‑safe. It operates on a mutable reference and does not
/// read or write beyond the bounds of the slice. It never panics.