[rust-dev] Ephemeral byte arrays for cryptographic keys/plaintexts
bill_myers at outlook.com
Fri Jan 10 14:25:30 PST 2014
At any rate, note that what you are trying to do only provides some mitigation and is far from a complete solution, because in practice you can't prevent leakage of all confidential data in this way (what about hibernation while the key is in memory? what about plaintext decrypted with the key?)
The only effective solution is to encrypt all storage including swap using full-disk encryption, as well as all internal network links using IPsec or similar, so that it doesn't matter if sensitive data is swapped, accidentally written to files or communicated between servers.
More information about the Rust-dev