Hello fellow crypto friends!

I need your help on a small piece of software I'm working on: safe.

It is a pass(1)-like application used to store passwords, but I want to drop usage of asymmetric keys and use only a master password instead (ie. symmetric encryption), so all I need to do to unlock my password store is a master password.

There is one neat feature that I like with gpg though: gpg-agent. I would like to have something similar with my master password approach, so I don't have to type my password every time I want to encrypt/decrypt a password.

I know that there are multiple security implications with it, but I'm no security expert, so I would like your input/advice on this topic.

From the top of my head, here are the security concerns I should have:

• DO NOT store master password in memory --> sha256() it
  
• DO NOT store secrets in memory --> ???? I don't think I can avoid that. At least I can store smaller "chunks" for in/output
  
• NEVER keep decrypted secrets in memory --> memset() the secrets address after usage
  
• NEVER write decrypted secrets anywhere --> output to stdout only
  

What should I add to this list? Are there things I should change?

BONUS QUESTION:
Do you guys understand how the "encrypt(3)" function from unistd.h works (don't judge me) ?
It seems to take a 64bits message and return the 64bits equivalent, encrypted. Which means that my encrypted message will have the same size as the ciphertext... I'm not security expert, but it looks like a security issue right?
Answering my own question from the man page:

Quote:Because they employ the DES block cipher, which is no longer considered secure, crypt(), crypt_r(), setkey(), and setkey_r() were removed in glibc 2.28. Applications should switch to a modern cryptography library, such as libgcrypt.

Thanks for your help!