Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Secrets

The Secret struct is a container for sensitive data that needs to be sustained in memory for an extended period. Holds locked and encrypted heap-allocated bytes that are decrypted on demand to protect against inspection techniques.

Please keep in mind that this is not a silver bullet, but rather an additional layer of protection. For example, when the peek closure is executing, the plaintext secret will exist transiently in CPU registers and caches, which is unavoidable.

Example

//! Long lived secret

extern crate wtx;

use crate::wtx::rng::SeedableRng;
use std::{env, sync::OnceLock};
use wtx::{
  collection::Vector,
  misc::{Secret, SensitiveBytes},
  rng::ChaCha20,
};

static SECRET: OnceLock<Secret> = OnceLock::new();

fn main() -> wtx::Result<()> {
  let data = env::args().nth(1).ok_or(wtx::Error::Generic(Box::new("No data".into())))?;
  let mut rng = ChaCha20::from_os()?;
  let secret = Secret::new(SensitiveBytes::new_locked(data.into_bytes().as_mut())?, &mut rng)?;
  let _rslt = SECRET.set(secret);
  std::thread::spawn(|| {
    let mut buffer = Vector::new();
    SECRET.wait().peek(&mut buffer, |_data| {
      // Sign documents, pass API keys, etc...
    })?;
    wtx::Result::Ok(())
  })
  .join()??;
  Ok(())
}