HACKERALERT
commented
1 year ago Yeah as you've mentioned, the memory will be freed eventually. I'm pretty sure this is a Go garbage collector thing where it frees the memory internally but doesn't return it to the system immediately to reduce expensive memory operations. Using debug.FreeOSMemory() will free the memory usage immediately, but I don't think using the debug package is a good idea in production-level software. On a low-memory system, I've found experimentally that the extra memory usage for subsequent Argon2 operations doesn't seem to affect anything, the memory that is internally freed is just reused. So I think it's okay to assume that the average user has at least 2 GB memory since anything below that and the limiting factor would be Argon2 running on a slow CPU which would make it impossible to run Argon2 in quick succession anyways. Most systems come with at least 8 GB these days so I don't think it's necessary to warn the user. Thanks for reporting!
hakavlad
Host: Debian 11. Running the latest
Picocrypt.AppImage.At the start picocrypt uses 2 MiB memory (VmRSS). After encrypting one file: 1 GiB. After encrypting the second file: 2 GiB VmRSS. Seems like picocrypt does not clear argon output from its memory.
Upd: Memory usage returned to 2MB after some time of inactivity.
Suggestion: add warning to README.md: picocrypt uses up to 2 GB of memory. In some situations, the use of picocrypt can lead to Out of Memory.
Expected Behavior: Memory usage drops to 2 MB immediately after KDF execution finishes.