From 0c520845f3623eff28f0277a52e3ccffd928f5c2 Mon Sep 17 00:00:00 2001
From: Jakob Unterwurzacher
Date: Fri, 11 Aug 2017 18:42:30 +0200
Subject: main: purge masterkey from memory as soon as possible

Remove the "Masterkey" field from fusefrontend.Args because it
should not be stored longer than neccessary. Instead pass the
masterkey as a separate argument to the filesystem initializers.

Then overwrite it with zeros immediately so we don't have
to wait for garbage collection.

Note that the crypto implementation still stores at least a
masterkey-derived value, so this change makes it harder, but not
impossible, to extract the encryption keys from memory.

Suggested at https://github.com/rfjakob/gocryptfs/issues/137
---
 mount.go | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

(limited to 'mount.go')

diff --git a/mount.go b/mount.go
index 7405ff3..89ac6d8 100644
--- a/mount.go
+++ b/mount.go
@@ -170,7 +170,7 @@ func setOpenFileLimit() {
 
 // initFuseFrontend - initialize gocryptfs/fusefrontend
 // Calls os.Exit on errors
-func initFuseFrontend(key []byte, args *argContainer, confFile *configfile.ConfFile) *fuse.Server {
+func initFuseFrontend(masterkey []byte, args *argContainer, confFile *configfile.ConfFile) *fuse.Server {
 	// Reconciliate CLI and config file arguments into a fusefrontend.Args struct
 	// that is passed to the filesystem implementation
 	cryptoBackend := cryptocore.BackendGoGCM
@@ -187,7 +187,6 @@ func initFuseFrontend(key []byte, args *argContainer, confFile *configfile.ConfF
 	}
 	frontendArgs := fusefrontend.Args{
 		Cipherdir:      args.cipherdir,
-		Masterkey:      key,
 		PlaintextNames: args.plaintextnames,
 		LongNames:      args.longnames,
 		CryptoBackend:  cryptoBackend,
@@ -222,14 +221,19 @@ func initFuseFrontend(key []byte, args *argContainer, confFile *configfile.ConfF
 	var finalFs pathfs.FileSystem
 	var ctlSockBackend ctlsock.Interface
 	if args.reverse {
-		fs := fusefrontend_reverse.NewFS(frontendArgs)
+		fs := fusefrontend_reverse.NewFS(masterkey, frontendArgs)
 		finalFs = fs
 		ctlSockBackend = fs
 	} else {
-		fs := fusefrontend.NewFS(frontendArgs)
+		fs := fusefrontend.NewFS(masterkey, frontendArgs)
 		finalFs = fs
 		ctlSockBackend = fs
 	}
+	// fusefrontend / fusefrontend_reverse have initialized their crypto with
+	// derived keys (HKDF), we can purge the master key from memory.
+	for i := range masterkey {
+		masterkey[i] = 0
+	}
 	// We have opened the socket early so that we cannot fail here after
 	// asking the user for the password
 	if args._ctlsockFd != nil {
-- 
cgit v1.2.3