How to use sodium_memzero()? and what is the correct steps before calling?
Closed this issue · 3 comments
I was reading an example from https://ourcodeworld.com/articles/read/471/how-to-encrypt-and-decrypt-files-using-the-aes-encryption-algorithm-in-c-sharp , does sodium_memzero() calls the same way like the example it does? or rather it works a slightly different way? libsodium-core is really a project shouldn't be dead but the sensitive data must be wiped out ...? Any ideas ? and before directly calling sodium_memzero(), what are the prerequisites like functions and stuffs needed to call beforehand ?
- It securely zeroes out a block of memory like RtlSecureZeroMemory does yes.
- I'm afraid sodium_memzero() hasn't been implemented in libsodium-core.
- You would call sodium_memzero() after you're done using an encryption key for example.
Note that that article is calling RtlZeroMemory on Windows when it should probably be calling RtlSecureZeroMemory instead. You could call this function if your program will only be running on Windows.
It's important to clear secrets from memory, but some languages don't offer a way of doing this. I'd recommend avoiding strings (as they're immutable) and using char arrays instead when possible (e.g. for passwords). Then you can clear char/byte arrays with Array.Clear() . However, it's not clear how effective this is. The garbage collector will eventually sort out unused variables anyway.
There's also ProtectedMemory in .NET Framework, which allows you to encrypt byte arrays. You can implement a similar thing using libsodium-core.
what could be ur advice if i store the keys like credentials in BigInteger format in file and reuse them whenever i can ?
I have no idea what type of cryptography you're trying to implement, but you don't necessarily need to store encryption keys. If you want to store keys in a file (e.g. exporting public/private keys), then I suggest using bytes or you could convert them to Base64 strings. The important thing to remember is that you want to keep secrets secret, meaning you should encrypt secret keys before storing them.