secure

package

v0.0.0-...-14162ad Latest Latest Go to latest Published: May 4, 2026 License: MIT Imports: 4 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/bashhack/sesh

Links

Open Source Insights

Documentation ¶

Overview ¶

Package secure provides security-related utilities for sesh.

IMPORTANT SECURITY NOTE: Go's memory model and garbage collection make secure memory management challenging. The functions in this package do their best to reduce the exposure window of sensitive data, but they cannot guarantee complete removal from memory due to factors like:

1. Go's garbage collector can move and copy data 2. Go strings are immutable and their contents can be duplicated 3. Compiler optimizations might affect security guarantees 4. Memory might be paged to disk outside of Go's control

For maximum security, prefer: - Keeping sensitive data in []byte form rather than strings - Minimizing the scope and lifetime of sensitive data - Zeroing sensitive data immediately after use

Index ¶

func ExecAndCaptureSecure(cmd *exec.Cmd) ([]byte, error)
func ExecWithSecretInput(cmd *exec.Cmd, secret []byte) error
func SecureZeroBytes(data []byte)
func SecureZeroString(s string)
func ZeroBytes(byteSlices ...[]byte)
func ZeroStrings(strings ...string)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ExecAndCaptureSecure ¶

func ExecAndCaptureSecure(cmd *exec.Cmd) ([]byte, error)

ExecAndCaptureSecure executes a command and securely captures its stdout as a byte slice. If an error occurs, any captured output is securely zeroed. This function is particularly useful for capturing sensitive data from commands.

func ExecWithSecretInput ¶

func ExecWithSecretInput(cmd *exec.Cmd, secret []byte) error

ExecWithSecretInput executes a command with a sensitive byte slice provided via stdin This is more secure than passing secrets as command-line arguments, which might be visible in process listings (ps) or command history

func SecureZeroBytes ¶

func SecureZeroBytes(data []byte)

SecureZeroBytes zeros out a byte slice in a way that won't be optimized away by the compiler. This helps ensure sensitive data is cleared from memory when no longer needed.

func SecureZeroString ¶

func SecureZeroString(s string)

SecureZeroString attempts to reduce the exposure window of a string by creating a byte slice copy and zeroing it. Due to Go's immutable strings and garbage-collected memory model, the original string data may remain in memory and cannot be securely erased.

WARNING: Only use this if you cannot avoid working with string. Prefer keeping secrets in []byte form from the beginning for actual zeroing. This function can introduce additional exposure by creating a second copy of the sensitive data in memory.

func ZeroBytes ¶

func ZeroBytes(byteSlices ...[]byte)

ZeroBytes zeroes multiple byte slices at once

func ZeroStrings ¶

func ZeroStrings(strings ...string)

ZeroStrings zeroes multiple strings at once

Types ¶

This section is empty.

Source Files ¶

View all Source files

memory.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL