Zero-Trust Mode
Bauxite is designed to operate in environments where data persistence is a liability. When Zero-Trust Mode is enabled, the intercept acts as a stateless conduit, enforcing a strict “No-Disk” policy.
The Straitjacket Architecture
Unlike traditional proxies that log requests to disk or use local databases for caching, in zero trust mode Bauxite utilizes a volatile, memory-only architecture.
Core Guarantees
| Guarantee | Technical Implementation |
|---|---|
| No Disk I/O | The binary is compiled without database drivers and ignores os.WriteFile calls. |
| Ephemeral Vaults | PII mappings are stored in a sync.Pool that is explicitly cleared on stream termination. |
| Rootless Execution | Optimized to run in containers with readOnlyRootFilesystem: true. |
| Memory Ceiling | Hard 20MB limit ensures no “runaway” data collection can occur in RAM. |
Enabling Zero-Trust
To enable full Zero-Trust protections, set the following environment variables in your deployment:Bash# Enforce memory-only operations
BAUXITE_ZERO_TRUST=true
# Disable all internal logging of request/response bodies
BAUXITE_LOG_LEVEL=warn
# Set a hard memory limit (Go runtime will panic if exceeded)
GOMEMLIMIT=18MiBIn-Depth: Memory Sanitization
When a request is completed, Bauxite doesn’t just “forget” the data. We use an Explicit Purge pattern to ensure sensitive strings are overwritten in memory before the garbage collector reclaims the space.
// internal/proxy/vault.go
func (v *SessionVault) Close() {
v.mu.Lock()
defer v.mu.Unlock()
for k, val := range v.data {
// Zero out the underlying byte slice
wipe(val)
delete(v.data, k)
}
}Warning: While Bauxite ensures it does not write to disk, users should ensure that the host OS “swap” is disabled (swapoff -a) to prevent the kernel fro m moving memory pages to the disk.
Verification
You can verify that Bauxite is not touching the disk by using strace or lsof during a high-load test:Bash# Check for open file descriptors (should only be network sockets) lsof -p $(pgrep bauxite)
If any write attempt is detected to the filesystem, the process will log a critical security violation and terminate (Fail-Closed).