Update README.md

radumarias · Jun 5, 2024 · 08388fe · 08388fe
1 parent 47f4038
commit 08388fe
Showing 1 changed file with 41 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -336,8 +336,9 @@ You will notice in the examples we initiate the `Cipher` from something like thi
 
 # Security
 
-**For security reasons it's a good practice to lock the memory with `mlock()` in which you keep sensitive data like passwords or encrryption keys, or any other plaintext sensitive content.**  
-In the examples below you will see how to do it
+**For security reasons it's a good practice to lock the memory with `mlock()` in which you keep sensitive data like passwords or encrryption keys, or any other plaintext sensitive content. Also it's important to zeroize the data when not used anymore.**  
+**In the case of [Copy-on-write fork](https://en.wikipedia.org/wiki/Copy-on-write) you need to zeroize the memory before forking the child process.**  
+In the examples below you will see how to do it.
 
 # Examples
 
@@ -627,6 +628,44 @@ if __name__ == "__main__":
         print("bye!")
 ```
 
+## Zeroing memory before forking child process
+
+This mitigates the problems that appears on [Copy-on-write fork](https://en.wikipedia.org/wiki/Copy-on-write). You need to zeroize the data before forking the child process.
+```python
+""" In the case of [Copy-on-write fork](https://en.wikipedia.org/wiki/Copy-on-write) you need to zeroize the memory before forking the child process. """
+
+import os
+from zeroize import zeroize1, mlock, munlock
+
+
+if __name__ == "__main__":
+    try:
+        # Maximum you can mlock is 4MB
+        sensitive_data = bytearray(b"Sensitive Information")
+        mlock(sensitive_data)
+
+        print("Before zeroization:", sensitive_data)
+
+        zeroize1(sensitive_data)
+        print("After zeroization:", sensitive_data)
+
+        # Forking after zeroization to ensure no sensitive data is copied
+        pid = os.fork()
+        if pid == 0:
+            # This is the child process
+            print("Child process memory after fork:", sensitive_data)
+        else:
+            # This is the parent process
+            os.wait()  # Wait for the child process to exit
+
+        print("all good, bye!")
+
+    finally:
+        # Unlock the memory
+        print("unlocking memory")
+        munlock(sensitive_data)
+```
+
 # Build from source
 
 ## Browser