cashubtc/cdk
1
0
Fork 0
Code Issues 25 Pull requests 23 Projects Releases 43 Packages Wiki Activity Actions

feat: zeroize cryptographic secrets on drop #988

Merged
vnprc merged 1 commit from zeroize_on_drop into main 2025-08-21 20:53:26 +00:00
Conversation 3 Commits 1 Files changed 5 +23
vnprc commented 2025-08-21 15:48:34 +00:00 (Migrated from github.com)
Copy link

implement zeroize on Drop for Secret, Wallet, and MultiMintWallet
this erases sensitive memory addresses before deallocation

Description

Minor security improvement that prevents a memory dump, swap file, or process memory inspection attack from exposing secrets left in deallocated memory addresses.

This is good hygiene and could be useful as part of a defense in depth strategy. Currently, it doesn't accomplish much because the master seed is kept in Wallet memory for the duration of the process.

A more meaningful security improvement would be to encrypt the seed on disk and load it into memory only when actively deriving keys. This would have a high performance impact due to the high frequency of ecash operations. Perhaps a better approach would be to focus on device architectures with a secure computing environment such as a secure enclave on a mobile phone and using something like VLS on mint servers.

In any case this PR has very low performance impact and it's better than nothing.

Notes to the reviewers

Suggested CHANGELOG Updates

CHANGED

ADDED

REMOVED

FIXED

Checklist

implement zeroize on Drop for Secret, Wallet, and MultiMintWallet this erases sensitive memory addresses before deallocation ### Description Minor security improvement that prevents a memory dump, swap file, or process memory inspection attack from exposing secrets left in deallocated memory addresses. This is good hygiene and could be useful as part of a defense in depth strategy. Currently, it doesn't accomplish much because the master seed is kept in Wallet memory for the duration of the process. A more meaningful security improvement would be to encrypt the seed on disk and load it into memory only when actively deriving keys. This would have a high performance impact due to the high frequency of ecash operations. Perhaps a better approach would be to focus on device architectures with a secure computing environment such as a secure enclave on a mobile phone and using something like [VLS](https://github.com/lightning-signer) on mint servers. In any case this PR has very low performance impact and it's better than nothing. ----- ### Notes to the reviewers <!-- In this section you can include notes directed to the reviewers, like explaining why some parts of the PR were done in a specific way --> ----- ### Suggested [CHANGELOG](https://github.com/cashubtc/cdk/blob/main/CHANGELOG.md) Updates <!-- Please do not edit the actual changelog but note what you changed here. --> #### CHANGED #### ADDED #### REMOVED #### FIXED ---- ### Checklist * [x] I followed the [code style guidelines](https://github.com/cashubtc/cdk/blob/main/CODE_STYLE.md) * [x] I ran `just final-check` before committing
crodas (Migrated from github.com) reviewed 2025-08-21 15:48:34 +00:00
vnprc commented 2025-08-21 15:53:43 +00:00 (Migrated from github.com)
Copy link

#979

#979
thesimplekid (Migrated from github.com) approved these changes 2025-08-21 16:03:03 +00:00
thesimplekid (Migrated from github.com) left a comment
Copy link

ACK 951ff054fb

ACK 951ff054fb61e20f99cbe6776354454c6a90a1bb
Sign in to join this conversation.
Reviewers
No reviewers
crodas
thesimplekid
Labels
Clear labels   
DB & Storage

   
Deployment

   
Error Handling & Logging

   
Maintenance

   
Payment Backend

   
backport

   
backport v0.13.x

   
backport v0.14.x

   
backport v0.15.x

   
bindings

   
blocked

   
bug

Something isn't working

  
cdk-sql

   
ci

   
cli

   
deps

   
documentation

Improvements or additions to documentation

  
duplicate

This issue or pull request already exists

  
enhancement

New feature or request

  
good first issue

Good for newcomers

  
help wanted

Extra attention is needed

  
invalid

This doesn't seem right

  
keep-open

   
ldk-node-ui

   
migrations

   
mint

   
mutation-testing

   
needs rebase

   
needs review

   
new nut

This PR is held pending the merge of a new or updated NUT

  
nut change

   
question

Further information is requested

  
ready

   
rust-version

   
rustfmt

   
stacked hold

PR is based on top of another PR, so should be merged in sequence. See comments for details.

  
stale

   
testing

   
wallet

   
weekly-report

   
wontfix

This will not be worked on

No labels
DB & Storage
Deployment
Error Handling & Logging
Maintenance
Payment Backend
backport
backport v0.13.x
backport v0.14.x
backport v0.15.x
bindings
blocked
bug
cdk-sql
ci
cli
deps
documentation
duplicate
enhancement
good first issue
help wanted
invalid
keep-open
ldk-node-ui
migrations
mint
mutation-testing
needs rebase
needs review
new nut
nut change
question
ready
rust-version
rustfmt
stacked hold
stale
testing
wallet
weekly-report
wontfix
Milestone
Clear milestone
No items
No milestone
v0.12
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
cashubtc/cdk!988
No description provided.