Zeroize DataKey on drop.

gibbz00 · Jan 23, 2024 · 5f5acab · 5f5acab
1 parent dc17dfc
commit 5f5acab
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 1 deletion.
diff --git a/Cargo.toml b/Cargo.toml
@@ -40,6 +40,7 @@ tokio = "1"
 thiserror = "1"
 walkdir = "2"
 which = "5"
+zeroize = { version = "1.7" }
 
 [patch.crates-io]
 # TEMP: https://github.com/str4d/rage/pull/429

diff --git a/crates/lib/Cargo.toml b/crates/lib/Cargo.toml
@@ -40,6 +40,7 @@ serde_with.workspace = true
 serde_regex.workspace = true
 strum.workspace = true
 thiserror.workspace = true
+zeroize.workspace = true
 
 # AGE
 age = { workspace = true, features = ["armor"], optional = true }

diff --git a/crates/lib/src/cryptography/data_key.rs b/crates/lib/src/cryptography/data_key.rs
@@ -3,17 +3,23 @@ use generic_array::{
     typenum::{Unsigned, U32},
     GenericArray,
 };
+use zeroize::Zeroize;
 
 use crate::*;
 
 type DataKeySize = U32;
 
-// XXX: zeroize?
 #[derive(Debug, PartialEq, AsRef, AsMut)]
 #[as_ref(forward)]
 #[as_mut(forward)]
 pub struct DataKey(RngKey<DataKeySize>);
 
+impl Drop for DataKey {
+    fn drop(&mut self) {
+        self.0 .0.zeroize()
+    }
+}
+
 impl DataKey {
     pub const fn byte_size() -> usize {
         DataKeySize::USIZE