Crate sanitization 

Dependency-free secret memory sanitization for no_std Rust.

The primary type is SecretBytes, a fixed-size clear-on-drop container designed for secrets that are controlled from creation through destruction.

Clearing routes through a small internal volatile-write backend. That backend uses one isolated unsafe boundary so the optimizer cannot remove secret clearing as a dead store.

Important limits:

• Safe Rust cannot soundly scrub old stack frames created by prior moves.
• Process abort prevents destructors and post-closure cleanup from running.
• SIMD stores, broad memory policy, and target-specific hardening need target-specific unsafe code and platform policy.
• Platform memory locking is available only through the explicit memory-lock feature on supported Linux, Android, macOS, iOS, Windows, and BSD targets. On WASM, the same feature exposes a volatile-only compatibility backend without host memory locking. The same feature also enables pooled slots with SecretPool on supported targets.
• Locked, pooled, and guarded canary integrity checks are available only through the explicit canary-check feature on supported targets.
• OS-CSPRNG canary generation is available only through the explicit random-canary feature.
• x86_64 assembly-backed comparison is available only through the explicit asm-compare feature.
• x86_64 cache-line eviction is available only through the explicit cache-flush feature.
• Proc-macro derives are available only through the explicit derive feature. The default build remains dependency-free.
• Fixed-size lifetime enforcement is available only through the std feature and ExpiringSecretBytes.
• Guard-page allocation is available only through the explicit guard-pages feature on supported Linux, Android, macOS, iOS, Windows, and BSD targets.
• WASM has no kernel page table, mlock, mprotect, or native volatile semantics. Base secret containers compile on WASM, and memory-lock exposes a documented volatile-only compatibility backend on WASM, but it does not pin memory or exclude host dumps there. guard-pages is rejected at compile time on WASM.

Modules

cache_flush

unsafe_wipe

Explicit volatile-write backend for ordinary mutable buffers.

Macros

secure_drop_struct

Declare a struct and generate SecureSanitize plus Drop.

secure_sanitize_struct

Declare a struct and generate SecureSanitize for all fields.

Structs

AlreadyConsumedError

Error returned after a ReadOnceSecret has already been consumed.

CanaryCorruptedError

Error returned when a checked locked secret detects canary corruption.

ExpiringSecretBytes

Fixed-size secret bytes with std lifetime enforcement.

GuardPageError

Error returned by guarded secret allocation operations.

GuardedSecretVec

Dynamic secret bytes stored between inaccessible platform guard pages.

LengthError

Error returned when a caller provides a buffer with the wrong length.

LockedSecretBytes

Fixed-size secret bytes stored in a private locked platform mapping.

MemoryLockError

Error returned by platform memory-locking operations.

MonotonicExpiringSecretBytes

Fixed-size secret bytes with caller-provided monotonic lifetime enforcement.

ReadOnceSecret

Clear-on-drop wrapper that can be consumed exactly once.

Secret

Clear-on-drop wrapper for non-byte secret types.

SecretBytes

Fixed-size secret byte storage with automatic sanitization on drop.

SecretExpiredError

Error returned when an expiring secret has exceeded its configured lifetime.

SecretPool

Fixed-slot arena for many same-size secrets inside one locked mapping.

SecretPoolSlot

A live fixed-size secret slot allocated from a SecretPool.

SecretString

Heap-allocated secret UTF-8 text with clear-on-drop behavior.

SecretVec

Heap-allocated secret bytes with clear-on-drop behavior.

Enums

ExpiringSecretError

Error returned by expiring secret operations.

GuardPageOperation

Platform guard-page operation that failed.

GuardedSecretVecGenerateError

Error returned when fallible guarded byte generation fails.

LockedSecretBytesCheckedCopyError

Error returned by checked locked-secret copy operations.

LockedSecretBytesError

Error returned when constructing LockedSecretBytes from a slice.

LockedSecretBytesGenerateError

Error returned when fallible locked secret byte generation fails.

MemoryLockOperation

Platform memory-locking operation that failed.

Traits

MonotonicClock

Caller-provided monotonic tick source for no-std expiring secrets.

SecureSanitize

Shared trait for values that can clear their own sensitive contents.

Functions

sanitize_bytes

Clear ordinary mutable bytes with volatile writes.

sanitize_bytes_best_effort

Compatibility alias for sanitize_bytes.

sanitize_bytes_multi_pass

Clear ordinary mutable bytes with an explicit three-pass volatile pattern.

Derive Macros

SecureSanitize

Derive sanitization::SecureSanitize for structs and enums.

SecureSanitizeOnDrop

Derive Drop by calling sanitization::SecureSanitize::secure_sanitize.