Merge pull request #490 from docker/posixage/zero/out

fix(posixage): zero sensitive byte slices after use

Author: Benehiko

store/posixage/prompt.go

@@ -105,6 +105,7 @@ func promptForEncryptionKeys(ctx context.Context, funcs []promptCaller) (map[sec
 			return nil, err
 		}
 		raw = bytes.TrimSpace(raw)
+		defer clear(raw)
 		if len(raw) == 0 {
 			return nil, errors.New("empty key provided on registered callback function")
 		}

store/posixage/store.go

@@ -138,6 +138,7 @@ func (f *fileStore[T]) decryptSecret(ctx context.Context, encryptedSecrets []sec
 		if err != nil {
 			return nil, err
 		}
+		defer clear(decryptionKey)
 
 		identity, err := secretfile.GetIdentity(keyType, string(decryptionKey))
 		if err != nil {
@@ -214,6 +215,7 @@ func (f *fileStore[T]) Filter(ctx context.Context, pattern store.Pattern) (map[s
 		if err != nil {
 			return err
 		}
+		defer clear(decryptedSecret)
 
 		secret := f.factory(ctx, id)
 		if err := secret.SetMetadata(metadata); err != nil {
@@ -254,6 +256,7 @@ func (f *fileStore[T]) Get(ctx context.Context, id store.ID) (store.Secret, erro
 	if err != nil {
 		return nil, err
 	}
+	defer clear(decryptedSecret)
 
 	secret := f.factory(ctx, id)
 	if err := secret.SetMetadata(metadata); err != nil {
@@ -339,6 +342,7 @@ func (f *fileStore[T]) Save(ctx context.Context, id store.ID, s store.Secret) er
 	if err != nil {
 		return err
 	}
+	defer clear(secret)
 	metadata := s.Metadata()
 
 	var secrets []secretfile.EncryptedSecret