Add Secure Enclave unlocker for hardware-backed secret protection

Adds a new "secure-enclave" unlocker type that stores the vault's long-term private key encrypted by a non-exportable P-256 key held in the Secure Enclave hardware. Decryption (ECDH) is performed inside the SE; the key never leaves the hardware. Uses CryptoTokenKit identities created via sc_auth, which allows SE access from unsigned binaries without Apple Developer Program membership. ECIES (X963SHA256 + AES-GCM) handles encryption and decryption through Security.framework. New package internal/macse/ provides the CGo bridge to Security.framework for SE key creation, ECIES encrypt/decrypt, and key deletion. The SE unlocker directly encrypts the vault long-term key (no intermediate age keypair).
2026-03-11 06:17:34 +07:00
parent 128c53a11d
commit 4adeeae1db
10 changed files with 1154 additions and 61 deletions
--- a/internal/macse/macse_stub.go
+++ b/internal/macse/macse_stub.go
@@ -0,0 +1,29 @@
+//go:build !darwin
+// +build !darwin
+
+// Package macse provides Go bindings for macOS Secure Enclave operations.
+package macse
+
+import "fmt"
+
+var errNotSupported = fmt.Errorf("secure enclave is only supported on macOS") //nolint:gochecknoglobals
+
+// CreateKey is not supported on non-darwin platforms.
+func CreateKey(_ string) ([]byte, string, error) {
+	return nil, "", errNotSupported
+}
+
+// Encrypt is not supported on non-darwin platforms.
+func Encrypt(_ string, _ []byte) ([]byte, error) {
+	return nil, errNotSupported
+}
+
+// Decrypt is not supported on non-darwin platforms.
+func Decrypt(_ string, _ []byte) ([]byte, error) {
+	return nil, errNotSupported
+}
+
+// DeleteKey is not supported on non-darwin platforms.
+func DeleteKey(_ string) error {
+	return errNotSupported
+}