secure-enclave-unlocker (#24)
Co-authored-by: clawbot <clawbot@eeqj.de> Reviewed-on: #24 Reviewed-by: clawbot <clawbot@noreply.example.org> Co-authored-by: sneak <sneak@sneak.berlin> Co-committed-by: sneak <sneak@sneak.berlin>
This commit was merged in pull request #24.
This commit is contained in:
17
README.md
17
README.md
@@ -184,6 +184,7 @@ Creates a new unlocker of the specified type:
|
||||
- `passphrase`: Traditional passphrase-protected unlocker
|
||||
- `pgp`: Uses an existing GPG key for encryption/decryption
|
||||
- `keychain`: macOS Keychain integration (macOS only)
|
||||
- `secure-enclave`: Hardware-backed Secure Enclave protection (macOS only)
|
||||
|
||||
**Options:**
|
||||
- `--keyid <id>`: GPG key ID (optional for PGP type, uses default key if not specified)
|
||||
@@ -286,11 +287,11 @@ Unlockers provide different authentication methods to access the long-term keys:
|
||||
- Automatic unlocking when Keychain is unlocked
|
||||
- Cross-application integration
|
||||
|
||||
4. **Secure Enclave Unlockers** (macOS - planned):
|
||||
4. **Secure Enclave Unlockers** (macOS):
|
||||
- Hardware-backed key storage using Apple Secure Enclave
|
||||
- Currently partially implemented but non-functional
|
||||
- Requires Apple Developer Program membership and code signing entitlements
|
||||
- Full implementation blocked by entitlement requirements
|
||||
- Uses `sc_auth` / CryptoTokenKit for SE key management (no Apple Developer Program required)
|
||||
- ECIES encryption: vault long-term key encrypted directly by SE hardware
|
||||
- Protected by biometric authentication (Touch ID) or system password
|
||||
|
||||
Each vault maintains its own set of unlockers and one long-term key. The long-term key is encrypted to each unlocker, allowing any authorized unlocker to access vault secrets.
|
||||
|
||||
@@ -330,8 +331,7 @@ Each vault maintains its own set of unlockers and one long-term key. The long-te
|
||||
|
||||
- Hardware token support via PGP/GPG integration
|
||||
- macOS Keychain integration for system-level security
|
||||
- Secure Enclave support planned (requires paid Apple Developer Program for
|
||||
signed entitlements to access the SEP and doxxing myself to Apple)
|
||||
- Secure Enclave integration for hardware-backed key protection (macOS, via `sc_auth` / CryptoTokenKit)
|
||||
|
||||
## Examples
|
||||
|
||||
@@ -385,6 +385,7 @@ secret vault remove personal --force
|
||||
secret unlocker add passphrase # Password-based
|
||||
secret unlocker add pgp --keyid ABCD1234 # GPG key
|
||||
secret unlocker add keychain # macOS Keychain (macOS only)
|
||||
secret unlocker add secure-enclave # macOS Secure Enclave (macOS only)
|
||||
|
||||
# List unlockers
|
||||
secret unlocker list
|
||||
@@ -443,7 +444,7 @@ secret decrypt encryption/mykey --input document.txt.age --output document.txt
|
||||
|
||||
### Cross-Platform Support
|
||||
|
||||
- **macOS**: Full support including Keychain and planned Secure Enclave integration
|
||||
- **macOS**: Full support including Keychain and Secure Enclave integration
|
||||
- **Linux**: Full support (excluding macOS-specific features)
|
||||
|
||||
## Security Considerations
|
||||
@@ -487,7 +488,7 @@ go test -tags=integration -v ./internal/cli # Integration tests
|
||||
|
||||
## Features
|
||||
|
||||
- **Multiple Authentication Methods**: Supports passphrase, PGP, and macOS Keychain unlockers
|
||||
- **Multiple Authentication Methods**: Supports passphrase, PGP, macOS Keychain, and Secure Enclave unlockers
|
||||
- **Vault Isolation**: Complete separation between different vaults
|
||||
- **Per-Secret Encryption**: Each secret has its own encryption key
|
||||
- **BIP39 Mnemonic Support**: Keyless operation using mnemonic phrases
|
||||
|
||||
Reference in New Issue
Block a user