clawbot/secret
1
0
Fork 0
forked from sneak/secret
Code Pull Requests Activity

Compare commits

base: clawbot:fix/issue-4
Branches Tags
clawbot:main
clawbot:fix/issue-3
clawbot:fix/issue-6
clawbot:fix/issue-4
clawbot:fix/issue-5
clawbot:fix-memory-security
sneak:main
sneak:fix-memory-security
..
compare: sneak:main
Branches Tags
sneak:main
sneak:fix-memory-security
clawbot:main
clawbot:fix/issue-3
clawbot:fix/issue-6
clawbot:fix/issue-4
clawbot:fix/issue-5
clawbot:fix-memory-security

4 Commits
fix/issue- ... main

Author SHA1 Message Date
Jeffrey Paul
6ff00c696a Merge pull request 'Remove redundant longterm.age encryption in Init command (closes #6)' (#11) from clawbot/secret:fix/issue-6 into main 
Reviewed-on: sneak/secret#11
 2026-02-09 02:39:55 +01:00
Jeffrey Paul
c6551e4901 Merge branch 'main' into fix/issue-6 2026-02-09 02:39:41 +01:00
Jeffrey Paul
b06d7fa3f4 Merge pull request 'Fix NumSecrets() always returning 0 (closes #4)' (#9) from clawbot/secret:fix/issue-4 into main 
Reviewed-on: sneak/secret#9
 2026-02-09 02:39:30 +01:00
clawbot
991b1a5a0b fix: remove redundant longterm.age encryption in Init command 
CreatePassphraseUnlocker already encrypts and writes the long-term
private key to longterm.age. The Init command was doing this a second
time, overwriting the file with a functionally equivalent but
separately encrypted blob. This was wasteful and a maintenance hazard.
 2026-02-08 12:05:09 -08:00
1 changed files with 2 additions and 31 deletions
Show Stats Expand all files Collapse all files

33
internal/cli/init.go
View File

@ -7,12 +7,10 @@ import (
"path/filepath"
"strings"
"filippo.io/age"
"git.eeqj.de/sneak/secret/internal/secret"
"git.eeqj.de/sneak/secret/internal/vault"
"git.eeqj.de/sneak/secret/pkg/agehd"
"github.com/awnumar/memguard"
"github.com/spf13/afero"
"github.com/spf13/cobra"
"github.com/tyler-smith/go-bip39"
)
@ -154,35 +152,8 @@ func (cli *Instance) Init(cmd *cobra.Command) error {
return fmt.Errorf("failed to create unlocker: %w", err)
}
// Encrypt long-term private key to the unlocker
unlockerDir := passphraseUnlocker.GetDirectory()
// Read unlocker public key
unlockerPubKeyData, err := afero.ReadFile(cli.fs, filepath.Join(unlockerDir, "pub.age"))
if err != nil {
return fmt.Errorf("failed to read unlocker public key: %w", err)
}
unlockerRecipient, err := age.ParseX25519Recipient(string(unlockerPubKeyData))
if err != nil {
return fmt.Errorf("failed to parse unlocker public key: %w", err)
}
// Encrypt long-term private key to unlocker
// Use memguard to protect the private key in memory
ltPrivKeyBuffer := memguard.NewBufferFromBytes([]byte(ltIdentity.String()))
defer ltPrivKeyBuffer.Destroy()
encryptedLtPrivKey, err := secret.EncryptToRecipient(ltPrivKeyBuffer, unlockerRecipient)
if err != nil {
return fmt.Errorf("failed to encrypt long-term private key: %w", err)
}
// Write encrypted long-term private key
ltPrivKeyPath := filepath.Join(unlockerDir, "longterm.age")
if err := afero.WriteFile(cli.fs, ltPrivKeyPath, encryptedLtPrivKey, secret.FilePerms); err != nil {
return fmt.Errorf("failed to write encrypted long-term private key: %w", err)
}
// Note: CreatePassphraseUnlocker already encrypts and writes the long-term
// private key to longterm.age, so no need to do it again here.
if cmd != nil {
cmd.Printf("\nDefault vault created and configured\n")