In my program, I have an encrypted database on the file system with a password. It is decrypted in RAM, and the sensitive data get spread out too much in RAM for mistake to be auditable easily enough. (Which rule out zeroing memory manually and using SecureString all over the place)
So what I think about doing is spawning a new process in a new windows desktop, asking the user to enter his password here, then decrypting the database, doing my stuff, then closing the child process immediately.
This make the whole thing very easy to audit. The sensitive data never leave out the child process, and the timespan where sensitive data is in RAM is limited to some milli seconds.
The question is : My solution works great only if Windows is effectively zeroing the memory after the process is closed. Is it a safe thing to assume ? (I know that the OS free the memory, but freeing and zeroing is not the same thing)
Do you see a better solution ? (easy to audit)
Aucun commentaire:
Enregistrer un commentaire