On 05/07/2014 05:56 AM, Tony Arcieri wrote:
- malloc/free + separate process for crypto - malloc/free + mlock/munlock + "secure zeroing" - mmap/munmap (+ mlock/munlock)
Separate process protects from a different threat than mlock/munlock (the latter prevents swapping out the pages to the swap device).
Depending on your paranoia level, maybe scramble the buffer if it is held unused for a long time. The scrambling secret should be short enough not to stick out like a sore thumb in a memory dump. Although that probably won't help much (it works better if the secret key and the scrambling key are in different processes).
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography