[Python-ideas] Secure string disposal (maybe other inmutable seq types too?)

Gregory P. Smith greg at krypto.org
Sat Jun 23 16:04:01 EDT 2018

On Sat, Jun 23, 2018 at 12:57 PM Christian Heimes <christian at python.org>

> If you need to protect sensitive data like private keys, then don't load
> them into memory of your current process. It's that simple. :) Bugs like
> heartbleed were an issue, because private key were in the same process
> space as the TLS/SSL code. Solutions like gpg-agent, ssh-agent, TPM,
> HSM, Linux's keyring and AF_ALG socket all aim to offload operations
> with private key material into a secure subprocess, Kernel space or
> special hardware.


It is fundamentally impossible for a Python VM (certainly CPython) to
implement any sort of guaranteed erasure of data and/or control over data
to prevent copying that is ever stored in a Python object.  This is not
unique to Python.  All interpreted and jitted VMs share this trait, as do
most languages with garbage collection.  ex: Java, Ruby, Go, etc.

Trying to pretend we could offer tracking and wiping of sensitive data
in-process is harmful at best as it cannot be guaranteed and thus gives the
wrong impression and will lead to misuse by people who ignore that.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20180623/f1e81bd6/attachment.html>

More information about the Python-ideas mailing list