You have to make sure that none of the sensitive data is put into an immutable data type (e.g., you cannot use String), because when you are done with the sensitive data, you need to be able to overwrite it.
You will probably keep the meat of the private key in a byte array (since this is exactly what getEncoded()
returns). When you are done with the private key, fill the byte array with zeros (or whatever).
You may need to implement your own version of PrivateKey, so you can add this new functionality (because you cannot guarantee that the provided implementation returns an alias to the actual array rather than a copy).
You also need to worry about any callers of getEncoded()
, because the caller could keep a copy of the data.