Crate soteria_rs

source ·
Expand description

This crate implements a wrapper around a secret that is stored in memory.

Protected allows a program to store a encrypted secret in memory. The secret is encrypted using XChaChaPoly1305. The encryption keys are large enough to mitigate memory side channel attacks like Spectre, Meltdown, Rowhammer, and RamBleed.

There is a pre_key and a nonce each large enough to limit these attacks. The pre_key and nonce are feed into a merlin transcript to mix with other data and derive the actual encryption key. This value is wiped from memory when the dropped or decrypted.

Structs

  • Protected
    A protected region of memory. The pre key is large to inhibit speculation and side-channel attacks like Spectre, Meltdown, Rowhammer, and RamBleed. Uses XChacha20Poly1305 to encrypt/decrypt the data in memory in place.
  • Unprotected
    Unprotected contains the decrypted value. After Unprotected is dropped, the Protected is reengaged with new cryptographic material and the value is encrypted again

Constants

  • DEFAULT_BUF_SIZE
    The default BUFFER size for the prekey and nonce in memory. This is large enough to inhibit speculation and side-channel attacks. Consumers should not go much smaller than this.