From 991b1a5a0ba69551db94ffd6cae068b8f20e65b6 Mon Sep 17 00:00:00 2001 From: clawbot Date: Sun, 8 Feb 2026 12:05:09 -0800 Subject: [PATCH] fix: remove redundant longterm.age encryption in Init command CreatePassphraseUnlocker already encrypts and writes the long-term private key to longterm.age. The Init command was doing this a second time, overwriting the file with a functionally equivalent but separately encrypted blob. This was wasteful and a maintenance hazard. --- internal/cli/init.go | 33 ++------------------------------- 1 file changed, 2 insertions(+), 31 deletions(-) diff --git a/internal/cli/init.go b/internal/cli/init.go index 1167f7c..bb733be 100644 --- a/internal/cli/init.go +++ b/internal/cli/init.go @@ -7,12 +7,10 @@ import ( "path/filepath" "strings" - "filippo.io/age" "git.eeqj.de/sneak/secret/internal/secret" "git.eeqj.de/sneak/secret/internal/vault" "git.eeqj.de/sneak/secret/pkg/agehd" "github.com/awnumar/memguard" - "github.com/spf13/afero" "github.com/spf13/cobra" "github.com/tyler-smith/go-bip39" ) @@ -154,35 +152,8 @@ func (cli *Instance) Init(cmd *cobra.Command) error { return fmt.Errorf("failed to create unlocker: %w", err) } - // Encrypt long-term private key to the unlocker - unlockerDir := passphraseUnlocker.GetDirectory() - - // Read unlocker public key - unlockerPubKeyData, err := afero.ReadFile(cli.fs, filepath.Join(unlockerDir, "pub.age")) - if err != nil { - return fmt.Errorf("failed to read unlocker public key: %w", err) - } - - unlockerRecipient, err := age.ParseX25519Recipient(string(unlockerPubKeyData)) - if err != nil { - return fmt.Errorf("failed to parse unlocker public key: %w", err) - } - - // Encrypt long-term private key to unlocker - // Use memguard to protect the private key in memory - ltPrivKeyBuffer := memguard.NewBufferFromBytes([]byte(ltIdentity.String())) - defer ltPrivKeyBuffer.Destroy() - - encryptedLtPrivKey, err := secret.EncryptToRecipient(ltPrivKeyBuffer, unlockerRecipient) - if err != nil { - return fmt.Errorf("failed to encrypt long-term private key: %w", err) - } - - // Write encrypted long-term private key - ltPrivKeyPath := filepath.Join(unlockerDir, "longterm.age") - if err := afero.WriteFile(cli.fs, ltPrivKeyPath, encryptedLtPrivKey, secret.FilePerms); err != nil { - return fmt.Errorf("failed to write encrypted long-term private key: %w", err) - } + // Note: CreatePassphraseUnlocker already encrypts and writes the long-term + // private key to longterm.age, so no need to do it again here. if cmd != nil { cmd.Printf("\nDefault vault created and configured\n")