#security #memory


A data type suitable for storing sensitive information such as passwords and private keys in memory, featuring constant time equality, mlock and zeroing out

7 unstable releases

Uses old Rust 2015

0.4.0 Feb 8, 2020
0.3.2 May 23, 2019
0.3.1 Sep 4, 2018
0.3.0 Jun 2, 2017
0.1.0 Sep 9, 2015

#23 in #memory

Download history 3192/week @ 2021-02-26 1959/week @ 2021-03-05 1765/week @ 2021-03-12 1681/week @ 2021-03-19 1935/week @ 2021-03-26 2128/week @ 2021-04-02 2024/week @ 2021-04-09 2126/week @ 2021-04-16 2351/week @ 2021-04-23 1588/week @ 2021-04-30 1891/week @ 2021-05-07 2115/week @ 2021-05-14 1957/week @ 2021-05-21 1869/week @ 2021-05-28 1187/week @ 2021-06-04 1852/week @ 2021-06-11

10,396 downloads per month
Used in 23 crates (16 directly)


417 lines

crates.io API Docs Build Status unlicense


A Rust library that implements a data type (wrapper around Vec<u8>) suitable for storing sensitive information such as passwords and private keys in memory. Inspired by Haskell securemem and .NET SecureString.


  • constant time comparison (does not short circuit on the first different character; but terminates instantly if strings have different length)
  • automatically zeroing out in the destructor
  • mlock and madvise protection if possible
  • formatting as ***SECRET*** to prevent leaking into logs
  • (optionally) using libsodium (through sodiumoxide's libsodium-sys) for zeroing, comparison, and hashing (std::hash::Hash)
  • (optionally) de/serializable into anything Serde supports as a byte string


extern crate secstr;
use secstr::*;

let pw = SecStr::from("correct horse battery staple");

// Compared in constant time:
// (Obviously, you should store hashes in real apps, not plaintext passwords)
let are_pws_equal = pw == SecStr::from("correct horse battery staple".to_string()); // true

// Formatting, printing without leaking secrets into logs
let text_to_print = format!("{}", SecStr::from("hello")); // "***SECRET***"

// Clearing memory
// (but you can force it)
let mut my_sec = SecStr::from("hello");
assert_eq!(my_sec.unsecure(), b"\x00\x00\x00\x00\x00");

Be careful with SecStr::from: if you have a borrowed string, it will be copied.
Use SecStr::new if you have a Vec<u8>.


Please feel free to submit pull requests!

By participating in this project you agree to follow the Contributor Code of Conduct and to release your contributions under the Unlicense.

The list of contributors is available on GitHub.


This is free and unencumbered software released into the public domain.
For more information, please refer to the UNLICENSE file or unlicense.org.


~15K SLoC