But why? If you encrypt data in memory then you still need to keep key somewhere, so we are as safe as key store. And the only place for storing key is memory, so if you need to encrypt memory to keep data there safe from threats then you already lost.
This is the main problem to overcome in a scheme like this. The encryption key in memguard is stored within a system that splits it across multiple guarded regions in memory and continuously writes to it in a way that makes the values “flicker” randomly, providing cold-boot resistance as well. The implementation is here: https://github.com/awnumar/memguard/blob/master/core/coffer.go
This is of course too computationallly expensive to be doing for all data we need to store. Using something like this our problem is just about storing ciphertext for data at rest instead of managing custom guarded allocations for everything since we don’t care about it leaking. In addition, most systems have conservative mlock limits and so this also lets us store arbitrary amounts of data without hitting this limit.
But why? If you encrypt data in memory then you still need to keep key somewhere, so we are as safe as key store. And the only place for storing key is memory, so if you need to encrypt memory to keep data there safe from threats then you already lost.
This is the main problem to overcome in a scheme like this. The encryption key in memguard is stored within a system that splits it across multiple guarded regions in memory and continuously writes to it in a way that makes the values “flicker” randomly, providing cold-boot resistance as well. The implementation is here: https://github.com/awnumar/memguard/blob/master/core/coffer.go
This is of course too computationallly expensive to be doing for all data we need to store. Using something like this our problem is just about storing ciphertext for data at rest instead of managing custom guarded allocations for everything since we don’t care about it leaking. In addition, most systems have conservative mlock limits and so this also lets us store arbitrary amounts of data without hitting this limit.