Source: golang-github-awnumar-memguard Section: golang Priority: optional Maintainer: Debian Go Packaging Team Uploaders: Simon Josefsson , Rules-Requires-Root: no Build-Depends: debhelper-compat (= 13), dh-sequence-golang, golang-any, golang-github-awnumar-memcall-dev, golang-golang-x-crypto-dev, golang-golang-x-sys-dev, Testsuite: autopkgtest-pkg-go Standards-Version: 4.7.2 Vcs-Browser: https://salsa.debian.org/go-team/packages/golang-github-awnumar-memguard Vcs-Git: https://salsa.debian.org/go-team/packages/golang-github-awnumar-memguard.git Homepage: https://github.com/awnumar/memguard XS-Go-Import-Path: github.com/awnumar/memguard Package: golang-github-awnumar-memguard-dev Architecture: all Multi-Arch: foreign Depends: golang-github-awnumar-memcall-dev, golang-golang-x-crypto-dev, golang-golang-x-sys-dev, ${misc:Depends}, Description: secure enclave for storage of sensitive information (library) This package attempts to reduce the likelihood of sensitive data being exposed when in memory. It aims to support all major operating systems and is written in pure Go. . Features . * Sensitive data is encrypted and authenticated in memory with XSalsa20Poly1305. The scheme (https://spacetime.dev/encrypting-secrets-in- memory) used also defends against cold-boot attacks (https://spacetime.dev/memory-retention-attacks). * Memory allocation bypasses the language runtime by using system calls (https://github.com/awnumar/memcall) to query the kernel for resources directly. This avoids interference from the garbage-collector. * Buffers that store plaintext data are fortified with guard pages and canary values to detect spurious accesses and overflows. * Effort is taken to prevent sensitive data from touching the disk. This includes locking memory to prevent swapping and handling core dumps. * Kernel-level immutability is implemented so that attempted modification of protected regions results in an access violation. * Multiple endpoints provide session purging and safe termination capabilities as well as signal handling to prevent remnant data being left behind. * Side-channel attacks are mitigated against by making sure that the copying and comparison of data is done in constant-time. . This package contains the Go development library.