On 22/06/2020 18:28, Martin Elshuber wrote: > I might be blind, but I just cannot find the location where this > plaintext data is > zeroized, neither by OPENSSL_cleanse() nor memset(). > > Am I blind, or is this just not done? Shouldn't there be a way to do > this just like > it is already done with keys? We don't currently do this. There would likely be some significant performance impacts for doing this with all plaintext. That said it might be a nice optional feature to add. Matt
