This package attempts to reduce the likelihood of sensitive data being
exposed when in memory. It aims to support all major operating systems
and is written in pure Go.
.
Features
.
* Sensitive data is encrypted and authenticated in memory with
XSalsa20Poly1305. The scheme (https://spacetime.dev/encrypting-secrets-in-
memory) used also defends against cold-boot attacks
(https://spacetime.dev/memory-retention-attacks).
* Memory allocation bypasses the language runtime by using system calls
(https://github.com/awnumar/memcall) to query the kernel for resources
directly. This avoids interference from the garbage-collector.
* Buffers that store plaintext data are fortified with guard pages and
canary values to detect spurious accesses and overflows.
* Effort is taken to prevent sensitive data from touching the disk.
This includes locking memory to prevent swapping and handling core
dumps.
* Kernel-level immutability is implemented so that attempted
modification of protected regions results in an access violation.
* Multiple endpoints provide session purging and safe termination
capabilities as well as signal handling to prevent remnant data being
left behind.
* Side-channel attacks are mitigated against by making sure that the
copying and comparison of data is done in constant-time.
.
This package contains the Go development library.
Installed Size: 138.2 kB
Architectures: all