Skip to main content

SecureProcess

hardware_enclave::exec

Struct SecureProcess

pub struct SecureProcess { /* private fields */ }

Expand description

Launch a child process with hardware-backed secrets injected.

The run() method provides full security guarantees:

Secret env var values are mlocked before spawn and zeroized after the child exits.
The spawned child inherits RLIMIT_CORE=0 on Unix (preventing core dumps of the secret-laden environment).

The exec() method provides weaker guarantees:

Secrets are NOT mlocked (they are passed via Command::env without locking).
Secrets are NOT zeroized (the current process is replaced; no cleanup runs).
Prefer run() for Type 2 secret delivery. Use exec() only when you need to replace the current process image and accept the weaker guarantees.

Implementations§

impl SecureProcess

pub fn new(program: impl Into<PathBuf>) -> Self

pub fn arg(self, a: impl Into<OsString>) -> Self

pub fn args(self, args: impl IntoIterator<Item = impl Into<OsString>>) -> Self

pub fn secret_env( self, key: impl Into<String>, value: impl Into<String>, ) -> Self

Inject a secret value as an environment variable (Type 2 delivery). The value is mlocked and zeroized after the child exits.

pub fn env(self, key: impl Into<String>, value: impl Into<String>) -> Self

Add a non-secret environment variable (e.g. a config file path).

pub fn env_remove(self, key: impl Into<String>) -> Self

Remove an environment variable from the child’s environment.

pub fn scrub(self, pattern: impl Into<String>) -> Self

Scrub inherited env vars matching this pattern before spawning. Accepts exact names or prefix patterns ending in *.

pub fn run(self) -> Result<ExitStatus>

Spawn the child and wait for it to exit. Zeroizes secret env vars after child returns.

pub fn exec(self) -> Result<Infallible>

Replace the current process image via execve() (Unix). On Windows, falls back to run() since CreateProcess cannot replace the calling image.

WARNING: secret env var zeroization is NOT possible after exec() because the current process no longer exists. Use run() when zeroization matters.

Trait Implementations§

impl Debug for SecureProcess

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Auto Trait Implementations§

impl Freeze for SecureProcess

impl RefUnwindSafe for SecureProcess

impl Send for SecureProcess

impl Sync for SecureProcess

impl Unpin for SecureProcess

impl UnsafeUnpin for SecureProcess

impl UnwindSafe for SecureProcess

Blanket Implementations§

impl<T> Any for T
where T: 'static + ?Sized,

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more

impl<T> Borrow<T> for T
where T: ?Sized,

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more

impl<T> BorrowMut<T> for T
where T: ?Sized,

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more

impl<T> From<T> for T

fn from(t: T) -> T

Returns the argument unchanged.

impl<T> Instrument for T

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more

impl<T, U> Into<U> for T
where U: From<T>,

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

impl<T> Same for T

type Output = T

Should always be Self

impl<T, U> TryFrom<U> for T
where U: Into<T>,

type Error = Infallible

The type returned in the event of a conversion error.

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

fn vzip(self) -> V

impl<T> WithSubscriber for T

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more