aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--gocryptfs-xray/xray_main.go3
-rw-r--r--init_dir.go5
-rw-r--r--main.go15
3 files changed, 18 insertions, 5 deletions
diff --git a/gocryptfs-xray/xray_main.go b/gocryptfs-xray/xray_main.go
index 85470ec..522878a 100644
--- a/gocryptfs-xray/xray_main.go
+++ b/gocryptfs-xray/xray_main.go
@@ -67,6 +67,9 @@ func dumpMasterKey(fn string) {
exitcodes.Exit(err)
}
fmt.Println(hex.EncodeToString(masterkey))
+ for i := range pw {
+ pw[i] = 0
+ }
}
func inspectCiphertext(fd *os.File) {
diff --git a/init_dir.go b/init_dir.go
index b13f741..ea902ec 100644
--- a/init_dir.go
+++ b/init_dir.go
@@ -45,8 +45,9 @@ func initDir(args *argContainer) {
tlog.Fatal.Println(err)
os.Exit(exitcodes.WriteConf)
}
- // Note: cannot overwrite password because in Go, strings are
- // read-only byte slices.
+ for i := range password {
+ password[i] = 0
+ }
// password runs out of scope here
}
// Forward mode with filename encryption enabled needs a gocryptfs.diriv
diff --git a/main.go b/main.go
index ed5784f..ddb4f4e 100644
--- a/main.go
+++ b/main.go
@@ -49,6 +49,9 @@ func loadConfig(args *argContainer) (masterkey []byte, confFile *configfile.Conf
pw := readpassword.Once(args.extpass)
tlog.Info.Println("Decrypting master key")
masterkey, confFile, err = configfile.LoadConfFile(args.config, pw)
+ for i := range pw {
+ pw[i] = 0
+ }
}
if err != nil {
tlog.Fatal.Println(err)
@@ -64,9 +67,15 @@ func changePassword(args *argContainer) {
exitcodes.Exit(err)
}
tlog.Info.Println("Please enter your new password.")
- newPw := readpassword.Twice(args.extpass)
- readpassword.CheckTrailingGarbage()
- confFile.EncryptKey(masterkey, newPw, confFile.ScryptObject.LogN())
+ {
+ newPw := readpassword.Twice(args.extpass)
+ readpassword.CheckTrailingGarbage()
+ confFile.EncryptKey(masterkey, newPw, confFile.ScryptObject.LogN())
+ for i := range newPw {
+ newPw[i] = 0
+ }
+ // newPw runs out of scope here
+ }
// Are we resetting the password without knowing the old one using
// "-masterkey"?
if args.masterkey != "" {