refactor: rename SEP to Keychain and reorganize import commands - Renamed sepunlock.go to keychainunlock.go - Changed all SEP types to Keychain types (SEPUnlockKey -> KeychainUnlockKey) - Updated type string from 'macos-sep' to 'keychain' - Moved 'secret import' to 'secret vault import' for mnemonic imports - Added new 'secret import <secret-name> --source <filename>' for file imports - Updated README to replace all 'Secure Enclave' references with 'macOS Keychain' - Updated directory structure diagrams and examples - Fixed linter error in MarkFlagRequired call - All tests passing, linter clean
This commit is contained in:
27
README.md
27
README.md
@@ -107,7 +107,7 @@ Creates a new unlock key of the specified type:
|
||||
|
||||
**Types:**
|
||||
- `passphrase`: Password-protected unlock key
|
||||
- `macos-sep`: macOS Secure Enclave unlock key (Touch ID/Face ID)
|
||||
- `keychain`: macOS Keychain unlock key (Touch ID/Face ID)
|
||||
- `pgp`: GPG/PGP key unlock key
|
||||
|
||||
**Options:**
|
||||
@@ -121,11 +121,14 @@ Selects an unlock key as the current default for operations.
|
||||
|
||||
### Import Operations
|
||||
|
||||
#### `secret import [vault-name]`
|
||||
#### `secret import <secret-name> --source <filename>`
|
||||
Imports a secret from a file and stores it in the current vault under the given name.
|
||||
|
||||
#### `secret vault import [vault-name]`
|
||||
Imports a mnemonic phrase into the specified vault (defaults to "default").
|
||||
|
||||
#### `secret enroll`
|
||||
Enrolls a macOS Secure Enclave unlock key for biometric authentication.
|
||||
Enrolls a macOS Keychain unlock key for biometric authentication.
|
||||
|
||||
### Encryption Operations
|
||||
|
||||
@@ -154,7 +157,7 @@ $BASE/ # ~/.config/berlin.sneak.pkg.secret
|
||||
│ │ │ ├── pub.age # Unlock key public key
|
||||
│ │ │ ├── priv.age # Unlock key private key (encrypted)
|
||||
│ │ │ └── longterm.age # Long-term private key (encrypted to this unlock key)
|
||||
│ │ ├── sep/ # Secure Enclave unlock key
|
||||
│ │ ├── keychain/ # Keychain unlock key
|
||||
│ │ │ ├── unlock-metadata.json
|
||||
│ │ │ ├── pub.age
|
||||
│ │ │ ├── priv.age
|
||||
@@ -193,8 +196,8 @@ Unlock keys provide different authentication methods to access the long-term key
|
||||
- Private key encrypted using a user-provided passphrase
|
||||
- Stored as encrypted Age identity in `priv.age`
|
||||
|
||||
2. **macOS Secure Enclave Keys**:
|
||||
- Private key stored in the Secure Enclave
|
||||
2. **macOS Keychain Keys**:
|
||||
- Private key stored in the macOS Keychain
|
||||
- Requires biometric authentication (Touch ID/Face ID)
|
||||
- Provides hardware-backed security
|
||||
|
||||
@@ -232,7 +235,7 @@ Unlock keys provide different authentication methods to access the long-term key
|
||||
- Long-term keys protected by multiple unlock key layers
|
||||
|
||||
### Hardware Integration
|
||||
- macOS Secure Enclave support for biometric authentication
|
||||
- macOS Keychain support for biometric authentication
|
||||
- Hardware token support via PGP/GPG integration
|
||||
|
||||
## Examples
|
||||
@@ -263,7 +266,7 @@ secret vault create personal
|
||||
# Work with work vault
|
||||
secret vault select work
|
||||
echo "work-db-pass" | secret add database/password
|
||||
secret keys add macos-sep # Add Touch ID authentication
|
||||
secret keys add keychain # Add Touch ID authentication
|
||||
|
||||
# Switch to personal vault
|
||||
secret vault select personal
|
||||
@@ -277,7 +280,7 @@ secret vault list
|
||||
```bash
|
||||
# Add multiple unlock methods
|
||||
secret keys add passphrase # Password-based
|
||||
secret keys add macos-sep # Touch ID (macOS only)
|
||||
secret keys add keychain # Touch ID (macOS only)
|
||||
secret keys add pgp --keyid ABCD1234 # GPG key
|
||||
|
||||
# List unlock keys
|
||||
@@ -313,8 +316,8 @@ secret decrypt encryption/mykey --input document.txt.age --output document.txt
|
||||
- **Configuration**: JSON configuration files
|
||||
|
||||
### Cross-Platform Support
|
||||
- **macOS**: Full support including Secure Enclave integration
|
||||
- **Linux**: Full support (excluding Secure Enclave features)
|
||||
- **macOS**: Full support including Keychain integration
|
||||
- **Linux**: Full support (excluding Keychain features)
|
||||
- **Windows**: Basic support (filesystem operations only)
|
||||
|
||||
## Security Considerations
|
||||
@@ -326,7 +329,7 @@ secret decrypt encryption/mykey --input document.txt.age --output document.txt
|
||||
|
||||
### Best Practices
|
||||
1. Use strong, unique passphrases for unlock keys
|
||||
2. Enable hardware authentication (Secure Enclave, hardware tokens) when available
|
||||
2. Enable hardware authentication (Keychain, hardware tokens) when available
|
||||
3. Regularly audit unlock keys and remove unused ones
|
||||
4. Keep mnemonic phrases securely backed up offline
|
||||
5. Use separate vaults for different security contexts
|
||||
|
||||
Reference in New Issue
Block a user