From 685413dee4a8218782762be21554b11dfd1cc937 Mon Sep 17 00:00:00 2001 From: "glm-5.2" Date: Tue, 23 Jun 2026 13:33:00 +0000 Subject: [PATCH] vault: return Zeroizing from unlock_new Change unlock_new return type from String to Zeroizing so the generated mnemonic phrase is zeroized on drop and does not linger in freed heap memory. Resolves drift item #8 / review W7. --- crates/alknet-vault/src/service.rs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/crates/alknet-vault/src/service.rs b/crates/alknet-vault/src/service.rs index d365d41..8a4c505 100644 --- a/crates/alknet-vault/src/service.rs +++ b/crates/alknet-vault/src/service.rs @@ -50,6 +50,7 @@ use crate::derivation::{self, DerivationError, PATHS}; use crate::encryption::{self, EncryptedData, EncryptionKey}; use crate::mnemonic::{Language, Mnemonic, Seed}; use crate::protocol::{DerivedKey, KeyType}; +use zeroize::Zeroizing; /// Handle to a running VaultService for local (in-process) use. /// @@ -150,7 +151,7 @@ impl VaultServiceHandle { /// /// Returns the generated mnemonic phrase. Store this phrase securely — /// it is the root of trust for all derived keys. - pub fn unlock_new(&self, word_count: usize) -> Result { + pub fn unlock_new(&self, word_count: usize) -> Result, VaultServiceError> { let mut inner = self.inner.write().unwrap(); if inner.unlocked { return Err(VaultServiceError::AlreadyUnlocked); @@ -158,7 +159,7 @@ impl VaultServiceHandle { let mnemonic = Mnemonic::generate(word_count)?; let seed = mnemonic.to_seed(None); - let phrase = mnemonic.phrase().to_string(); + let phrase = Zeroizing::new(mnemonic.phrase().to_string()); inner.mnemonic = Some(mnemonic); inner.seed = Some(seed);