Merge pull request 'Remove redundant longterm.age encryption in Init command (closes #6)' (#11) from clawbot/secret:fix/issue-6 into main

Reviewed-on: sneak/secret#11
2026-02-09 02:39:55 +01:00 · 2026-02-09 02:39:55 +01:00 · 6ff00c696a
commit 6ff00c696a
parent b06d7fa3f4 c6551e4901
1 changed files with 2 additions and 31 deletions
--- a/internal/cli/init.go
+++ b/internal/cli/init.go
@ -7,12 +7,10 @@ import (
 	"path/filepath"
 	"strings"

-	"filippo.io/age"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
-	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 	"github.com/tyler-smith/go-bip39"
 )
@ -154,35 +152,8 @@ func (cli *Instance) Init(cmd *cobra.Command) error {
 		return fmt.Errorf("failed to create unlocker: %w", err)
 	}

-	// Encrypt long-term private key to the unlocker
-	unlockerDir := passphraseUnlocker.GetDirectory()
-
-	// Read unlocker public key
-	unlockerPubKeyData, err := afero.ReadFile(cli.fs, filepath.Join(unlockerDir, "pub.age"))
-	if err != nil {
-		return fmt.Errorf("failed to read unlocker public key: %w", err)
-	}
-
-	unlockerRecipient, err := age.ParseX25519Recipient(string(unlockerPubKeyData))
-	if err != nil {
-		return fmt.Errorf("failed to parse unlocker public key: %w", err)
-	}
-
-	// Encrypt long-term private key to unlocker
-	// Use memguard to protect the private key in memory
-	ltPrivKeyBuffer := memguard.NewBufferFromBytes([]byte(ltIdentity.String()))
-	defer ltPrivKeyBuffer.Destroy()
-
-	encryptedLtPrivKey, err := secret.EncryptToRecipient(ltPrivKeyBuffer, unlockerRecipient)
-	if err != nil {
-		return fmt.Errorf("failed to encrypt long-term private key: %w", err)
-	}
-
-	// Write encrypted long-term private key
-	ltPrivKeyPath := filepath.Join(unlockerDir, "longterm.age")
-	if err := afero.WriteFile(cli.fs, ltPrivKeyPath, encryptedLtPrivKey, secret.FilePerms); err != nil {
-		return fmt.Errorf("failed to write encrypted long-term private key: %w", err)
-	}
+	// Note: CreatePassphraseUnlocker already encrypts and writes the long-term
+	// private key to longterm.age, so no need to do it again here.

 	if cmd != nil {
 		cmd.Printf("\nDefault vault created and configured\n")