Expand description
Secure memory utilities for key material.
Wraps libc::mlock/munlock to prevent key bytes from being swapped
to disk. mlock is best-effort: if the OS refuses (e.g. RLIMIT_MEMLOCK
exceeded on some container configurations), a warning is logged and
startup continues. Failing to mlock does not expose the key — it only
means the key could be paged out under extreme memory pressure.
On platforms where mlock is not available (e.g. some WASM targets) the calls are no-ops.
Structs§
- Secure
Key - A 32-byte key held in memory, mlocked against swap.
Functions§
- mlock_
key_ bytes - Public convenience wrapper for mlocking raw key bytes from
crypto.rs.