ZeroizePy v1.1.0 – Quick Start, Threat Model, and Cross-Platform Fixes

[SteveParadox]

ZeroizePy v1.1.0

Release Date: 2025-12-04

New Features

• Added a Quick Start “Hello World” example for fast onboarding.

• Enhanced Windows support for SecureMemory (with caveats due to OS memory handling).

• Added threat model section in documentation.

• Expanded security notes for cross-platform behaviors.

Cross-Platform Behavior Highlights

• Linux/macOS

  • Fully supports symlink handling and follow_symlinks options.

  • Sparse file detection via heuristics.

  • SecureMemory zeroing observable in tests (with libsodium recommended for guarded pages).

• Windows

  • Some behaviors differ; tests skip unreliable cases.

  • SecureMemory zeroing is less observable due to Python memory copies and OS protections.

  • Memory locking relies on libsodium; fallback available but less secure.

• File Systems

  • COW filesystems (btrfs, ZFS) and SSDs may not fully erase overwritten blocks; cryptographic erase recommended.

Security Notes

• Immutable Python objects (bytes, str) cannot be securely zeroed; prefer bytearray or memoryview.

• Always use .close() or context managers to guarantee zeroing of memory buffers.

• OS-level erase wrappers (hdparm, NVMe format, diskutil, BitLocker) are dangerous; use only with full understanding.

• Python garbage collector may temporarily retain memory; cryptographic erasure mitigates risk for encrypted data.

Threat Model

ZeroizePy protects against:

• Forensic recovery of overwritten files.

• Accidental retention of plaintext in process memory.

• Recovery after cryptographic key destruction.

• Undeleted temp files and leaked memory buffers.

• Users mistakenly loading sensitive data into Python bytes.

ZeroizePy cannot defend against:

• Full-disk snapshots (btrfs, ZFS, VM snapshots).

• SSD wear-leveling remapping.

• Kernel-level memory scanners or DMA attacks.

• Malware running inside the same Python process.

• Cloud-provider persistent block-level backups outside your control.

Partial mitigations

Risk | Mitigation in ZeroizePy -- | -- SSD wear-leveling | Recommend cryptographic erasure Python copies memory | Encourage bytearray / memoryview usage OS restrictions on locked pages | Fallback with warnings Hard failures during deletion | Raises FileAccessError

Fixes & Improvements

• Fixed file wiping edge cases on sparse files.

• Updated documentation with cross-platform limitations and security recommendations.

• Minor API refinements and cleanup based on community feedback.

---

Changelog Reference

• See CHANGELOG.md for full version history, including the original 1.0.0 release and planned features.

---

This discussion was created from the release ZeroizePy v1.1.0 – Quick Start, Threat Model, and Cross-Platform Fixes .