I got sloppy here in a Stripe integration: https://github.com/zyrolasting/stripe-integration/blob/master/main.rkt#L31
I'm not an InfoSec expert, but I know I'd like to secure the secret key used here in memory instead of using a parameter. I'd probably encrypt the value provided by a client module and store it (write-only from the client's perspective) using set-box!. But I have several other questions: 1. Does the garbage collector keep a clear text copy of the secret in memory before I encrypt it? If so, how can I make it easy for a client module to set the secret key AND make it such that a garbage collection pass will remove the clear secret from RAM? 2. Are there any existing cross-platform Racket projects that can proactively keep secrets away from the garbage collector and swap space? Nothing relevant comes up for "secret", "security" or "swap" on the package index. 3. Are there any other intermediaries in a Racket process that might keep a copy of a cleartext secret? ~slg -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/9PxBKb8OvAcVw0rFq_0veoJDRmr2Q254QPtMKX58guwid4JCSXkrbnhsUw7LeVXUEkz6scZKav9GXMa7a1f71XYX17HcAfcUCzPkZCYhbnA%3D%40sagegerard.com.
