From 2384340f4138a362a52a6ee49cecc956a7d028f8 Mon Sep 17 00:00:00 2001
From: Alano Terblanche <18033717+Benehiko@users.noreply.github.com>
Date: Tue, 17 Mar 2026 13:07:30 +0100
Subject: [PATCH] fix(posixage): zero sensitive byte slices after use

Clear decryption key material and plaintext secret bytes immediately
after use via defer clear(), so they don't linger in the heap longer
than necessary.

Signed-off-by: Alano Terblanche <18033717+Benehiko@users.noreply.github.com>
---
 store/posixage/prompt.go | 1 +
 store/posixage/store.go  | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/store/posixage/prompt.go b/store/posixage/prompt.go
index 852c024a..6b5e73f1 100644
--- a/store/posixage/prompt.go
+++ b/store/posixage/prompt.go
@@ -105,6 +105,7 @@ func promptForEncryptionKeys(ctx context.Context, funcs []promptCaller) (map[sec
 			return nil, err
 		}
 		raw = bytes.TrimSpace(raw)
+		defer clear(raw)
 		if len(raw) == 0 {
 			return nil, errors.New("empty key provided on registered callback function")
 		}
diff --git a/store/posixage/store.go b/store/posixage/store.go
index fc5d27c4..fbbdee8b 100644
--- a/store/posixage/store.go
+++ b/store/posixage/store.go
@@ -138,6 +138,7 @@ func (f *fileStore[T]) decryptSecret(ctx context.Context, encryptedSecrets []sec
 		if err != nil {
 			return nil, err
 		}
+		defer clear(decryptionKey)
 
 		identity, err := secretfile.GetIdentity(keyType, string(decryptionKey))
 		if err != nil {
@@ -214,6 +215,7 @@ func (f *fileStore[T]) Filter(ctx context.Context, pattern store.Pattern) (map[s
 		if err != nil {
 			return err
 		}
+		defer clear(decryptedSecret)
 
 		secret := f.factory(ctx, id)
 		if err := secret.SetMetadata(metadata); err != nil {
@@ -254,6 +256,7 @@ func (f *fileStore[T]) Get(ctx context.Context, id store.ID) (store.Secret, erro
 	if err != nil {
 		return nil, err
 	}
+	defer clear(decryptedSecret)
 
 	secret := f.factory(ctx, id)
 	if err := secret.SetMetadata(metadata); err != nil {
@@ -339,6 +342,7 @@ func (f *fileStore[T]) Save(ctx context.Context, id store.ID, s store.Secret) er
 	if err != nil {
 		return err
 	}
+	defer clear(secret)
 	metadata := s.Metadata()
 
 	var secrets []secretfile.EncryptedSecret