Zeroize VssStore's data_encryption_key on Drop

tnull · tnull · commit 3490f2a32dd5 · 2025-08-22T11:53:03.000+02:00
.. to make sure it doesn't linger in memory.
diff --git a/src/io/vss_store.rs b/src/io/vss_store.rs
@@ -38,12 +38,14 @@ type CustomRetryPolicy = FilteredRetryPolicy<
 	Box<dyn Fn(&VssError) -> bool + 'static + Send + Sync>,
 >;
 
+const KEY_LENGTH: usize = 32;
+
 /// A [`KVStore`] implementation that writes to and reads from a [VSS](https://github.com/lightningdevkit/vss-server/blob/main/README.md) backend.
 pub struct VssStore {
 	client: VssClient<CustomRetryPolicy>,
 	store_id: String,
 	runtime: Arc<Runtime>,
-	data_encryption_key: [u8; 32],
+	data_encryption_key: [u8; KEY_LENGTH],
 	key_obfuscator: KeyObfuscator,
 }
 
@@ -237,6 +239,12 @@ impl KVStore for VssStore {
 	}
 }
 
+impl Drop for VssStore {
+	fn drop(&mut self) {
+		self.data_encryption_key.copy_from_slice(&[0u8; KEY_LENGTH]);
+	}
+}
+
 fn derive_data_encryption_and_obfuscation_keys(vss_seed: &[u8; 32]) -> ([u8; 32], [u8; 32]) {
 	let hkdf = |initial_key_material: &[u8], salt: &[u8]| -> [u8; 32] {
 		let mut engine = HmacEngine::<sha256::Hash>::new(salt);
