Expand description
This crate implements a wrapper around a secret that is stored in memory.
Protected allows a program to store a encrypted secret in memory. The secret
is encrypted using XChaChaPoly1305. The encryption keys are large enough to mitigate
memory side channel attacks like Spectre, Meltdown, Rowhammer, and RamBleed.
There is a pre_key and a nonce each large enough to limit these attacks. The pre_key and nonce are feed into a merlin transcript to mix with other data and derive the actual encryption key. This value is wiped from memory when the dropped or decrypted.
Structs§
- Protected
- A protected region of memory. The pre key is large to inhibit speculation and side-channel attacks like Spectre, Meltdown, Rowhammer, and RamBleed. Uses XChacha20Poly1305 to encrypt/decrypt the data in memory in place.
- Unprotected
- Unprotected contains the decrypted value.
After Unprotected is dropped, the
Protectedis reengaged with new cryptographic material and the value is encrypted again
Constants§
- DEFAULT_
BUF_ SIZE - The default BUFFER size for the prekey and nonce in memory. This is large enough to inhibit speculation and side-channel attacks. Consumers should not go much smaller than this.