How We Ensured API Keys Never Linger in RAM

Rust's ownership model cleans up memory automatically — but it doesn't overwrite it. A dropped String containing an API key still has its bytes sitting in physical RAM until something else claims that page. The zeroize crate fixes that. Here's every pattern we used in a production secrets vault. The Problem When you store and retrieve API keys in a credentials vault, the sensitive bytes touch several places in memory: The Argon2-derived encryption key (lives for the session) The ra