chore: erase dek after encrypt

rueian · Nov 30, 2020 · d30c500 · d30c500
1 parent 3261c67
commit d30c500
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 4 deletions.
diff --git a/api/v1alpha1/asset_types.go b/api/v1alpha1/asset_types.go
@@ -96,11 +96,13 @@ func (a *Asset) Unseal(ctx context.Context, providers map[string]kms.Plugin) (ma
 
 	if len(a.Spec.EncryptedSeal) != 0 {
 		bs, err := plugin.Decrypt(ctx, []byte(a.Spec.SealingParams), a.Spec.EncryptedSeal)
+		defer erase(bs)
 		if err != nil {
 			return nil, err
 		}
 
 		detail := pb.Seal{}
+		defer erase(detail.Dek)
 		if err := proto.Unmarshal(bs, &detail); err != nil {
 			return nil, fmt.Errorf("fail to unmarshal EncryptedSeal: %w", status.ErrBadData)
 		}
@@ -137,14 +139,23 @@ func (a *Asset) Unseal(ctx context.Context, providers map[string]kms.Plugin) (ma
 
 			detail := pb.Seal{}
 			if err := proto.Unmarshal(bs, &detail); err != nil {
+				erase(bs)
 				return nil, fmt.Errorf("fail to unmarshal EncryptedSeal: %w", status.ErrBadData)
 			}
-
+			erase(bs)
 			if data[k], err = seal.Decrypt(&detail, encv); err != nil {
+				erase(detail.Dek)
 				return nil, err
 			}
+			erase(detail.Dek)
 		}
 	}
 
 	return data, nil
 }
+
+func erase(v []byte) {
+	for i := range v {
+		v[i] = 0
+	}
+}
diff --git a/cmd/kinko/main.go b/cmd/kinko/main.go
@@ -415,19 +415,26 @@ func encrypt(provider kms.Plugin, params []byte, secrets map[string][]byte) (map
 		copy(result[2:2+len(dekv)], dekv)
 		copy(result[2+len(dekv):], encv)
 		encrypted[k] = result
+
+		erases(bs)
+		erases(detail.Dek)
 	}
 	return encrypted, nil
 }
 
 func erase(data map[string][]byte) {
 	for k, v := range data {
-		for i := range v {
-			v[i] = 0
-		}
+		erases(v)
 		delete(data, k)
 	}
 }
 
+func erases(v []byte) {
+	for i := range v {
+		v[i] = 0
+	}
+}
+
 func main() {
 	if err := rootCmd.Execute(); err != nil {
 		panic(err)