Summary
crypto::open() returns decrypted genesis bytes as Vec<u8>. These should be wrapped in a zeroizing container (e.g., zeroize::Zeroizing<Vec<u8>>) to ensure automatic memory cleanup on drop.
The KEK is already properly zeroized — this extends the same protection to decrypted data.
Summary
crypto::open()returns decrypted genesis bytes asVec<u8>. These should be wrapped in a zeroizing container (e.g.,zeroize::Zeroizing<Vec<u8>>) to ensure automatic memory cleanup on drop.The KEK is already properly zeroized — this extends the same protection to decrypted data.