The ephemeral storage of burnafter is handled by either a gRPC server launched by the client library (server mode) or encrypted file-based storage (fallback mode). The client library automatically selects the appropriate mode based on server availability.
When a secret needs to be stored, the burnafter client library checks if the
server for the binary is running and if not attempts to start it. If server
startup fails or is disabled via NoServer option, the client transparently
falls back to encrypted file storage.
┌─────────────┐
│ Client │
│ (Binary) │
└──────┬──────┘
│ Unix Socket
│ + gRPC
│ + Peer Credentials
↓
┌─────────────┐
│ Server │
│ (Daemon) │
├─────────────┤
│ Secrets │
│ Linux: │
│ → Kernel │
│ Keyring │
│ Others: │
│ → Memory │
└─────────────┘
- Linux: Secrets stored in kernel keyring (never swapped to disk, process-isolated)
- Others: Secrets stored in memory only (never written to disk)
- Unix socket communication with peer credential verification
- Server auto-starts on first use
- Server auto-shuts down when all secrets expire or after inactivity timeout
- Binary hash-based socket paths prevent cross-binary access
- Strongest security guarantees
┌─────────────┐
│ Client │
│ (Binary) │
└──────┬──────┘
│
│ Direct file I/O
↓
┌─────────────┐
│ /tmp/... │
│ Encrypted │
│ Files │
│ (One per │
│ secret) │
└─────────────┘
- Secrets encrypted with AES-256-GCM and stored as files in
/tmp - Automatic when server startup fails or
NoServeroption is set - TTL enforcement via embedded expiry timestamps
- Deterministic file paths allow secret retrieval across invocations
- Weaker security than server mode (secrets persist on disk)
NoServeroption explicitly set in client options- Server startup fails (permissions, SELinux, etc.)
- Platform doesn't support Unix sockets (e.g., Windows in future)
- Socket path derived from binary SHA256 hash:
/tmp/burnafter-{hash[:16]}.sock - Different binary versions cannot access each other's secrets
- Recompiling with different nonce creates isolated secret store
- Unix socket peer credential verification (
SO_PEERCREDon Linux,LOCAL_PEERCREDon macOS) - Server validates:
- Client binary hash matches server's parent binary
- Client nonce matches server's compile-time nonce
- Client UID/PID from socket credentials
- Linux: Secrets stored in kernel keyring (process-scoped, never swapped to disk)
- Others: Secrets encrypted in memory using AES-256-GCM
- Secrets never written to disk in either case
- Keys derived on-demand, never stored
- Server restart makes all secrets unrecoverable
Key = AES256(
input: session_id + client_nonce + binary_hash + secret_name
salt: binary_hash
iterations: 100000 (PBKDF2-SHA256)
)
- Maximum 100 secrets per server (configurable via
MaxSecrets) - Maximum 1 MB per secret (configurable via
MaxSecretSize) - Inactivity timeout (default: disabled, configurable)
- Algorithm: AES-256-GCM (authenticated encryption)
- Key derivation: PBKDF2-SHA256 with 100,000 iterations
- Random nonce per secret (12 bytes)
- Authentication tag prevents tampering
Key = PBKDF2-SHA256(
input: client_nonce + binary_hash + secret_name
salt: SHA256(secret_name)
iterations: 100000
)[version:1][nonce:12][expiry:8][ciphertext+tag:N]
│ │ │ └─ Encrypted secret + GCM tag
│ │ └─────────── Unix timestamp (absolute expiry)
│ └───────────────────── AES-GCM nonce (random)
└─────────────────────────────── File format version (1)
- Location:
/tmp/burnafter-{binary_hash[:16]}-{secret_hash[:16]} - Deterministic: Same binary + secret name = same file path
- Permissions: 0600 (owner read/write only)
- No file extension (opaque)
- Expiry timestamp embedded in encrypted file
- Checked on every
Get()operation - Expired files automatically deleted
- Background cleanup runs on each Store/Get/Delete
| Feature | Server Mode | Fallback Mode |
|---|---|---|
| Secret Storage | Linux: Kernel keyring Others: Memory only |
Encrypted files in /tmp |
| Persistence | Lost on restart | Persists until TTL/OS cleanup |
| Authentication | Unix peer credentials | Binary hash + nonce |
| Encryption | AES-256-GCM | AES-256-GCM |
| Key Derivation | PBKDF2 (session-based) | PBKDF2 (deterministic) |
| Cross-invocation | ❌ No (new session) | ✅ Yes (same binary) |
| Disk traces | ❌ None | |
| Platform support | Linux, macOS | All platforms |
| SELinux compatible | ✅ Yes |
-
Binary Updates: Updating the client binary invalidates all secrets (by design)
- Binary hash changes, making keys underivable
- New binary cannot decrypt secrets from old binary
-
Same User Access: Processes running as the same user can potentially access secrets
- Server mode: Can attach debugger to server process memory
- Fallback mode: Can read encrypted files (but need key)
- Both modes: Still requires key derivation (nonce + binary hash)
-
Key Derivation: Encryption keys never stored; derived on-demand from:
- Client nonce (compile-time constant)
- Binary SHA256 hash
- Secret name
- Session ID (server mode only)
-
Memory Attacks:
- Memory dumps may reveal secrets in both modes
- Server mode (Linux): Secrets in kernel keyring (harder to extract than user-space memory)
- Server mode (Others): Secrets in server process memory
- Fallback mode: Secrets briefly in client process during encrypt/decrypt
- Mitigation: Use memory locking if available, prefer Linux for kernel keyring protection
-
Server Restart: Restarting the server makes all secrets unrecoverable
- Session ID is randomly generated on startup
- Old session ID makes keys underivable
-
Unix Socket Permissions: Access controlled by filesystem permissions (0600)
- Only owning user can connect to socket
- Peer credentials provide additional verification
-
Process Lifetime: Server runs as daemon process
- Detached from parent (Setsid)
- Auto-shuts down when idle or no secrets remain
- Can be manually killed:
pkill -f burnafter.*server
-
Disk Persistence: Secrets persist as encrypted files
- OS temp directory cleanup is eventual, not immediate
- Files deleted automatically when TTL expires
- Manual cleanup:
rm /tmp/burnafter-{hash}-*
-
File System Security:
- Relies on OS file permissions (0600)
- Encrypted tmpfs is recommended for additional security
- Consider using
shredor secure deletion if needed
-
Cross-Invocation Access: Same binary can retrieve secrets across runs
- Useful for CI/CD pipelines, scripts
- Different from server mode's session-isolated storage
✅ Accidental secret exposure in logs/environment variables ✅ Secrets persisting after process termination (server mode) ✅ Cross-binary secret access (different applications) ✅ Unauthorized network access (local-only via Unix socket) ✅ Secret tampering (GCM authentication) ✅ Time-based secret expiry enforcement
❌ Root/admin access (attaching to process) ❌ Physical access to system (cold boot attacks) ❌ Malicious code in same process ❌ Side-channel attacks (timing, power analysis)
-
Use Server Mode When Possible: Provides strongest security guarantees
-
Set Strong Nonces: Use unique, random nonce for each application
opts := options.DefaultClient opts.Nonce = "random-unique-value-per-app-12345"
-
Configure TTLs Appropriately:
- Short TTLs for high-security scenarios (minutes)
- Longer TTLs for development/testing (hours)
- Use absolute expiration for specific deadlines
-
Monitor Server Lifecycle:
- Enable debug mode during development:
opts.Debug = true - Check logs for startup failures
- Verify fallback mode isn't being used unintentionally
- Enable debug mode during development:
-
Secure Temp Directory:
- Use encrypted tmpfs for
/tmpif possible - Consider setting
TMPDIRto encrypted volume - Regularly clean old fallback files
- Use encrypted tmpfs for
-
Binary Distribution:
- Sign binaries for macOS/Windows distribution
- Notarize for macOS App Store distribution
- Document nonce value for reproducible builds (if needed)
- Secret Storage: Uses the kernel keyring (
KEY_SPEC_PROCESS_KEYRING) for maximum security- Secrets stored in kernel space (never swapped to disk)
- Process-isolated (automatic cleanup when server exits)
- Falls back to memory storage if keyring unavailable
- Server Execution: Uses
memfd_createfor in-memory execution (when available)- Fallback to temp file if SELinux blocks memfd execution
- Peer Credentials:
SO_PEERCREDsocket option for client authentication
- Server mode: Extracts server binary to
/tmp(no memfd equivalent) - Peer credentials:
LOCAL_PEERCREDsocket option
- Server mode: Not yet supported (no Unix sockets)
- Fallback mode: Primary mechanism, much less secure as it is file-based
- Named pipes: Potential future server mode transport
- Symmetric Encryption: AES-256-GCM
- Key Derivation: PBKDF2-HMAC-SHA256
- Hashing: SHA-256
- Random Generation:
crypto/rand(Go stdlib)
- PBKDF2 Iterations: 100,000
- AES Key Size: 256 bits (32 bytes)
- GCM Nonce Size: 96 bits (12 bytes)
- GCM Tag Size: 128 bits (16 bytes)
Server Mode:
sessionID (random 32 hex chars)
+ clientNonce (compile-time constant)
+ binaryHash (SHA256 of executable)
+ secretName (user-provided)Fallback Mode:
clientNonce (client defined constant)
+ binaryHash (SHA256 of executable)
+ secretName (user-provided)Salt: SHA256(secretName) in fallback, binaryHash in server mode
- Uses
crypto/rand.Reader(cryptographically secure) - GCM nonces are randomly generated per encryption
- Server session IDs are randomly generated on startup
- No PRNG seeding required (handled by OS)