Skip to content

[cryptography] Secrets Hardening #2685

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
patrick-ogrady merged 1 commit into from
Jan 3, 2026
Merged

[cryptography] Secrets Hardening #2685

patrick-ogrady merged 1 commit into from
Jan 3, 2026

Conversation

@patrick-ogrady
Copy link
Contributor

@patrick-ogrady patrick-ogrady commented Jan 3, 2026

  • Add memfd_secret support on Linux 5.14+ with fallback to regular mmap
    • Memory is unmapped from kernel direct mapping
    • Cannot be read via /proc/pid/mem even by root
  • Add MADV_DONTDUMP on Linux to prevent secrets in core dumps
  • Add MADV_WIPEONFORK on Linux to zero memory in child processes after fork
  • Update module documentation with security considerations
  • Add test_wipeonfork (Linux) to verify fork protection

@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Jan 3, 2026
edited
Loading

Deploying monorepo with  Cloudflare Pages  Cloudflare Pages

Latest commit: 66da635
Status: ✅  Deploy successful!
Preview URL: https://93b7d0a4.monorepo-eu0.pages.dev
Branch Preview URL: https://patrick-secret-hardening.monorepo-eu0.pages.dev

View logs

@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Jan 3, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs		 commonware-mcp 66da635 Jan 03 2026, 08:04 PM

@patrick-ogrady patrick-ogrady force-pushed the patrick/secret-hardening branch 3 times, most recently from 27ab1aa to 39d203e Compare January 3, 2026 19:06
andresilva
andresilva approved these changes Jan 3, 2026
View reviewed changes
Copy link
Collaborator

@andresilva andresilva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😍

@patrick-ogrady patrick-ogrady marked this pull request as ready for review January 3, 2026 19:53
@patrick-ogrady patrick-ogrady force-pushed the patrick/secret-hardening branch 2 times, most recently from 1105bb6 to 2a1f0a4 Compare January 3, 2026 19:58
@patrick-ogrady @claude
[cryptography/secret] Add memfd_secret and madvise hardening
66da635 
- Add memfd_secret support on Linux 5.14+ with fallback to regular mmap
  - Memory is unmapped from kernel direct mapping
  - Cannot be read via /proc/pid/mem even by root

- Add MADV_DONTDUMP on Linux to prevent secrets in core dumps
- Add MADV_WIPEONFORK on Linux to zero memory in child processes after fork
- Update module documentation with security considerations
- Add test_wipeonfork (Linux) to verify fork protection

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@patrick-ogrady patrick-ogrady force-pushed the patrick/secret-hardening branch from 2a1f0a4 to 66da635 Compare January 3, 2026 20:04
@patrick-ogrady patrick-ogrady merged commit c19e19e into andre/secrets-wrapper Jan 3, 2026
117 of 118 checks passed
@patrick-ogrady patrick-ogrady deleted the patrick/secret-hardening branch January 3, 2026 20:05
@andresilva andresilva mentioned this pull request Jan 9, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andresilva andresilva andresilva approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@patrick-ogrady @andresilva