Expand description
Secure credential storage and redaction. Opaque, zeroize-on-drop credential bytes.
Replaces the previous Arc<str> credential field with a type that:
- Zeroes its bytes on drop (
zeroizecrate). Heap pages keyhog freed while a scan was in flight no longer leak credentials to the next allocator request, swap, or post-mortem core dump. - Refuses
Debug/Displayprinting — every leak path through{:?}or{}becomes<redacted N bytes>instead of the bytes themselves. To get the bytes you must callexpose_secret()explicitly, which grep’ing the codebase for can audit every credential touch site. - Is
Cloneand serializable viaserde(uses theexpose_secret()bytes forSerialize, decodes back to a freshCredentialforDeserialize). The serialization channel is the responsibility of the caller — find emitters that go to disk/JSON and either redact them or wrap the entire output in EnvSeal seal.
When EnvSeal embeds keyhog, this type is the only place credential
bytes ever appear in process memory; an mlock + memfd backing can be
added behind the lockdown feature gate without touching call sites.
Structs§
- Credential
- Opaque credential bytes. The inner
Arc<Zeroizing<Box<[u8]>>>clones are cheap (refcount bump) but every owningCredentialzeroizes on drop.Arclets the engine intern identical credentials without copying; when the last ref drops,Zeroizing<Box<[u8]>>overwrites the heap allocation beforeBox::dropreturns it to the allocator. - Sensitive
String - A heap-allocated string that is zeroized on drop.