Expand description

An allocator designed to handle security sensitive allocations, i.e. heap memory with confidential contents.

This can be used to store e.g. passwords and secret cryptographic keys in memory. It is not designed to be performant or light on system resources.

The allocator tries to never get swapped out using mlock on linux. The amount of memory that can be mlocked is very limited for unprivileged processes so use with care. Allocating too much memory using this allocator (exceeding the mlock limit) causes the program to OOM abort using alloc::alloc::handle_alloc_error. A process with CAP_SYS_RESOURCE can change the mlock limit using setrlimit from libc (available in rust through the secmem-proc crate).

Various security measures are implemented:

  • Zeroization of memory on drop.
  • Non-swappable locked memory.
  • Memory is not in the program break or global allocator memory pool, therefore at a less predictable address (even when the address to memory in the global allocator leaks). This could make some exploits harder, but not impossible.


Memory allocator for confidential memory. See the module level documentation.