secure-enclave-unlocker (#24)

Co-authored-by: clawbot <clawbot@eeqj.de> Reviewed-on: #24 Reviewed-by: clawbot <clawbot@noreply.example.org> Co-authored-by: sneak <sneak@sneak.berlin> Co-committed-by: sneak <sneak@sneak.berlin>
2026-03-14 07:36:28 +01:00
parent 4dc26c9394
commit a3d3fb3b69
20 changed files with 1458 additions and 82 deletions
--- a/internal/secret/derivation_index_test.go
+++ b/internal/secret/derivation_index_test.go
@@ -24,12 +24,12 @@ type realVault struct {
 func (v *realVault) GetDirectory() (string, error) {
 	return filepath.Join(v.stateDir, "vaults.d", v.name), nil
 }
-func (v *realVault) GetName() string        { return v.name }
+func (v *realVault) GetName() string         { return v.name }
 func (v *realVault) GetFilesystem() afero.Fs { return v.fs }

 // Unused by getLongTermPrivateKey — these satisfy VaultInterface.
 func (v *realVault) AddSecret(string, *memguard.LockedBuffer, bool) error { panic("not used") }
-func (v *realVault) GetCurrentUnlocker() (Unlocker, error)               { panic("not used") }
+func (v *realVault) GetCurrentUnlocker() (Unlocker, error)                { panic("not used") }
 func (v *realVault) CreatePassphraseUnlocker(*memguard.LockedBuffer) (*PassphraseUnlocker, error) {
 	panic("not used")
 }
--- a/internal/secret/secret_test.go
+++ b/internal/secret/secret_test.go
@@ -284,11 +284,11 @@ func TestSecretNameValidation(t *testing.T) {
 		{"valid/path/name", true},
 		{"123valid", true},
 		{"", false},
-		{"Valid-Upper-Name", true},                             // uppercase allowed
-		{"2025-11-21-ber1app1-vaultik-test-bucket-AKI", true},  // real-world uppercase key ID
-		{"MixedCase/Path/Name", true},                          // mixed case with path
-		{"invalid name", false}, // space not allowed
-		{"invalid@name", false}, // @ not allowed
+		{"Valid-Upper-Name", true}, // uppercase allowed
+		{"2025-11-21-ber1app1-vaultik-test-bucket-AKI", true}, // real-world uppercase key ID
+		{"MixedCase/Path/Name", true},                         // mixed case with path
+		{"invalid name", false},                               // space not allowed
+		{"invalid@name", false},                               // @ not allowed
 	}

 	for _, test := range tests {
--- a/internal/secret/seunlocker_darwin.go
+++ b/internal/secret/seunlocker_darwin.go
@@ -0,0 +1,385 @@
+//go:build darwin
+// +build darwin
+
+package secret
+
+import (
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"os"
+	"path/filepath"
+	"time"
+
+	"filippo.io/age"
+	"git.eeqj.de/sneak/secret/internal/macse"
+	"git.eeqj.de/sneak/secret/pkg/agehd"
+	"github.com/awnumar/memguard"
+	"github.com/spf13/afero"
+)
+
+const (
+	// seKeyLabelPrefix is the prefix for Secure Enclave CTK identity labels.
+	seKeyLabelPrefix = "berlin.sneak.app.secret.se"
+
+	// seUnlockerType is the metadata type string for Secure Enclave unlockers.
+	seUnlockerType = "secure-enclave"
+
+	// seLongtermFilename is the filename for the SE-encrypted vault long-term private key.
+	seLongtermFilename = "longterm.age.se"
+)
+
+// SecureEnclaveUnlockerMetadata extends UnlockerMetadata with SE-specific data.
+type SecureEnclaveUnlockerMetadata struct {
+	UnlockerMetadata
+	SEKeyLabel string `json:"seKeyLabel"`
+	SEKeyHash  string `json:"seKeyHash"`
+}
+
+// SecureEnclaveUnlocker represents a Secure Enclave-protected unlocker.
+type SecureEnclaveUnlocker struct {
+	Directory string
+	Metadata  UnlockerMetadata
+	fs        afero.Fs
+}
+
+// GetIdentity implements Unlocker interface for SE-based unlockers.
+// Decrypts the vault's long-term private key directly using the Secure Enclave.
+func (s *SecureEnclaveUnlocker) GetIdentity() (*age.X25519Identity, error) {
+	DebugWith("Getting SE unlocker identity",
+		slog.String("unlocker_id", s.GetID()),
+	)
+
+	// Get SE key label from metadata
+	seKeyLabel, _, err := s.getSEKeyInfo()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get SE key info: %w", err)
+	}
+
+	// Read ECIES-encrypted long-term private key from disk
+	encryptedPath := filepath.Join(s.Directory, seLongtermFilename)
+	encryptedData, err := afero.ReadFile(s.fs, encryptedPath)
+	if err != nil {
+		return nil, fmt.Errorf(
+			"failed to read SE-encrypted long-term key: %w",
+			err,
+		)
+	}
+
+	DebugWith("Read SE-encrypted long-term key",
+		slog.Int("encrypted_length", len(encryptedData)),
+	)
+
+	// Decrypt using the Secure Enclave (ECDH happens inside SE hardware)
+	decryptedData, err := macse.Decrypt(seKeyLabel, encryptedData)
+	if err != nil {
+		return nil, fmt.Errorf(
+			"failed to decrypt long-term key with SE: %w",
+			err,
+		)
+	}
+
+	// Parse the decrypted long-term private key
+	ltIdentity, err := age.ParseX25519Identity(string(decryptedData))
+
+	// Clear sensitive data immediately
+	for i := range decryptedData {
+		decryptedData[i] = 0
+	}
+
+	if err != nil {
+		return nil, fmt.Errorf(
+			"failed to parse long-term private key: %w",
+			err,
+		)
+	}
+
+	DebugWith("Successfully decrypted long-term key via SE",
+		slog.String("unlocker_id", s.GetID()),
+	)
+
+	return ltIdentity, nil
+}
+
+// GetType implements Unlocker interface.
+func (s *SecureEnclaveUnlocker) GetType() string {
+	return seUnlockerType
+}
+
+// GetMetadata implements Unlocker interface.
+func (s *SecureEnclaveUnlocker) GetMetadata() UnlockerMetadata {
+	return s.Metadata
+}
+
+// GetDirectory implements Unlocker interface.
+func (s *SecureEnclaveUnlocker) GetDirectory() string {
+	return s.Directory
+}
+
+// GetID implements Unlocker interface.
+func (s *SecureEnclaveUnlocker) GetID() string {
+	hostname, err := os.Hostname()
+	if err != nil {
+		hostname = "unknown"
+	}
+
+	createdAt := s.Metadata.CreatedAt
+	timestamp := createdAt.Format("2006-01-02.15.04")
+
+	return fmt.Sprintf("%s-%s-%s", timestamp, hostname, seUnlockerType)
+}
+
+// Remove implements Unlocker interface.
+func (s *SecureEnclaveUnlocker) Remove() error {
+	_, seKeyHash, err := s.getSEKeyInfo()
+	if err != nil {
+		Debug("Failed to get SE key info during removal", "error", err)
+
+		return fmt.Errorf("failed to get SE key info: %w", err)
+	}
+
+	if seKeyHash != "" {
+		Debug("Deleting SE key", "hash", seKeyHash)
+		if err := macse.DeleteKey(seKeyHash); err != nil {
+			Debug("Failed to delete SE key", "error", err, "hash", seKeyHash)
+
+			return fmt.Errorf("failed to delete SE key: %w", err)
+		}
+	}
+
+	Debug("Removing SE unlocker directory", "directory", s.Directory)
+	if err := s.fs.RemoveAll(s.Directory); err != nil {
+		return fmt.Errorf("failed to remove SE unlocker directory: %w", err)
+	}
+
+	Debug("Successfully removed SE unlocker", "unlocker_id", s.GetID())
+
+	return nil
+}
+
+// getSEKeyInfo reads the SE key label and hash from metadata.
+func (s *SecureEnclaveUnlocker) getSEKeyInfo() (label string, hash string, err error) {
+	metadataPath := filepath.Join(s.Directory, "unlocker-metadata.json")
+	metadataData, err := afero.ReadFile(s.fs, metadataPath)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to read SE metadata: %w", err)
+	}
+
+	var seMetadata SecureEnclaveUnlockerMetadata
+	if err := json.Unmarshal(metadataData, &seMetadata); err != nil {
+		return "", "", fmt.Errorf("failed to parse SE metadata: %w", err)
+	}
+
+	return seMetadata.SEKeyLabel, seMetadata.SEKeyHash, nil
+}
+
+// NewSecureEnclaveUnlocker creates a new SecureEnclaveUnlocker instance.
+func NewSecureEnclaveUnlocker(
+	fs afero.Fs,
+	directory string,
+	metadata UnlockerMetadata,
+) *SecureEnclaveUnlocker {
+	return &SecureEnclaveUnlocker{
+		Directory: directory,
+		Metadata:  metadata,
+		fs:        fs,
+	}
+}
+
+// generateSEKeyLabel generates a unique label for the SE CTK identity.
+func generateSEKeyLabel(vaultName string) (string, error) {
+	hostname, err := os.Hostname()
+	if err != nil {
+		return "", fmt.Errorf("failed to get hostname: %w", err)
+	}
+
+	enrollmentDate := time.Now().UTC().Format("2006-01-02")
+
+	return fmt.Sprintf(
+		"%s.%s-%s-%s",
+		seKeyLabelPrefix,
+		vaultName,
+		hostname,
+		enrollmentDate,
+	), nil
+}
+
+// CreateSecureEnclaveUnlocker creates a new SE unlocker.
+// The vault's long-term private key is encrypted directly by the Secure Enclave
+// using ECIES. No intermediate age keypair is used.
+func CreateSecureEnclaveUnlocker(
+	fs afero.Fs,
+	stateDir string,
+) (*SecureEnclaveUnlocker, error) {
+	if err := checkMacOSAvailable(); err != nil {
+		return nil, err
+	}
+
+	vault, err := GetCurrentVault(fs, stateDir)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get current vault: %w", err)
+	}
+
+	// Generate SE key label
+	seKeyLabel, err := generateSEKeyLabel(vault.GetName())
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate SE key label: %w", err)
+	}
+
+	// Step 1: Create P-256 key in the Secure Enclave via sc_auth
+	Debug("Creating Secure Enclave key", "label", seKeyLabel)
+	_, seKeyHash, err := macse.CreateKey(seKeyLabel)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create SE key: %w", err)
+	}
+
+	Debug("Created SE key", "label", seKeyLabel, "hash", seKeyHash)
+
+	// Step 2: Get the vault's long-term private key
+	ltPrivKeyData, err := getLongTermKeyForSE(fs, vault)
+	if err != nil {
+		return nil, fmt.Errorf(
+			"failed to get long-term private key: %w",
+			err,
+		)
+	}
+	defer ltPrivKeyData.Destroy()
+
+	// Step 3: Encrypt the long-term key directly with the SE (ECIES)
+	encryptedLtKey, err := macse.Encrypt(seKeyLabel, ltPrivKeyData.Bytes())
+	if err != nil {
+		return nil, fmt.Errorf(
+			"failed to encrypt long-term key with SE: %w",
+			err,
+		)
+	}
+
+	// Step 4: Create unlocker directory and write files
+	vaultDir, err := vault.GetDirectory()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get vault directory: %w", err)
+	}
+
+	unlockerDirName := fmt.Sprintf("se-%s", filepath.Base(seKeyLabel))
+	unlockerDir := filepath.Join(vaultDir, "unlockers.d", unlockerDirName)
+	if err := fs.MkdirAll(unlockerDir, DirPerms); err != nil {
+		return nil, fmt.Errorf(
+			"failed to create unlocker directory: %w",
+			err,
+		)
+	}
+
+	// Write SE-encrypted long-term key
+	ltKeyPath := filepath.Join(unlockerDir, seLongtermFilename)
+	if err := afero.WriteFile(fs, ltKeyPath, encryptedLtKey, FilePerms); err != nil {
+		return nil, fmt.Errorf(
+			"failed to write SE-encrypted long-term key: %w",
+			err,
+		)
+	}
+
+	// Write metadata
+	seMetadata := SecureEnclaveUnlockerMetadata{
+		UnlockerMetadata: UnlockerMetadata{
+			Type:      seUnlockerType,
+			CreatedAt: time.Now().UTC(),
+			Flags:     []string{seUnlockerType, "macos"},
+		},
+		SEKeyLabel: seKeyLabel,
+		SEKeyHash:  seKeyHash,
+	}
+
+	metadataBytes, err := json.MarshalIndent(seMetadata, "", "  ")
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal metadata: %w", err)
+	}
+
+	metadataPath := filepath.Join(unlockerDir, "unlocker-metadata.json")
+	if err := afero.WriteFile(fs, metadataPath, metadataBytes, FilePerms); err != nil {
+		return nil, fmt.Errorf("failed to write metadata: %w", err)
+	}
+
+	return &SecureEnclaveUnlocker{
+		Directory: unlockerDir,
+		Metadata:  seMetadata.UnlockerMetadata,
+		fs:        fs,
+	}, nil
+}
+
+// getLongTermKeyForSE retrieves the vault's long-term private key
+// either from the mnemonic env var or by unlocking via the current unlocker.
+func getLongTermKeyForSE(
+	fs afero.Fs,
+	vault VaultInterface,
+) (*memguard.LockedBuffer, error) {
+	envMnemonic := os.Getenv(EnvMnemonic)
+	if envMnemonic != "" {
+		// Read vault metadata to get the correct derivation index
+		vaultDir, err := vault.GetDirectory()
+		if err != nil {
+			return nil, fmt.Errorf("failed to get vault directory: %w", err)
+		}
+
+		metadataPath := filepath.Join(vaultDir, "vault-metadata.json")
+		metadataBytes, err := afero.ReadFile(fs, metadataPath)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read vault metadata: %w", err)
+		}
+
+		var metadata VaultMetadata
+		if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
+			return nil, fmt.Errorf("failed to parse vault metadata: %w", err)
+		}
+
+		// Use mnemonic with the vault's actual derivation index
+		ltIdentity, err := agehd.DeriveIdentity(
+			envMnemonic,
+			metadata.DerivationIndex,
+		)
+
+		if err != nil {
+			return nil, fmt.Errorf(
+				"failed to derive long-term key from mnemonic: %w",
+				err,
+			)
+		}
+
+		return memguard.NewBufferFromBytes([]byte(ltIdentity.String())), nil
+	}
+
+	currentUnlocker, err := vault.GetCurrentUnlocker()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get current unlocker: %w", err)
+	}
+
+	currentIdentity, err := currentUnlocker.GetIdentity()
+	if err != nil {
+		return nil, fmt.Errorf(
+			"failed to get current unlocker identity: %w",
+			err,
+		)
+	}
+
+	// All unlocker types store longterm.age in their directory
+	longtermPath := filepath.Join(
+		currentUnlocker.GetDirectory(),
+		"longterm.age",
+	)
+	encryptedLtKey, err := afero.ReadFile(fs, longtermPath)
+	if err != nil {
+		return nil, fmt.Errorf(
+			"failed to read encrypted long-term key: %w",
+			err,
+		)
+	}
+
+	ltPrivKeyBuffer, err := DecryptWithIdentity(
+		encryptedLtKey,
+		currentIdentity,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decrypt long-term key: %w", err)
+	}
+
+	return ltPrivKeyBuffer, nil
+}
--- a/internal/secret/seunlocker_stub.go
+++ b/internal/secret/seunlocker_stub.go
@@ -0,0 +1,84 @@
+//go:build !darwin
+// +build !darwin
+
+package secret
+
+import (
+	"fmt"
+
+	"filippo.io/age"
+	"github.com/spf13/afero"
+)
+
+var errSENotSupported = fmt.Errorf(
+	"secure enclave unlockers are only supported on macOS",
+)
+
+// SecureEnclaveUnlockerMetadata is a stub for non-Darwin platforms.
+type SecureEnclaveUnlockerMetadata struct {
+	UnlockerMetadata
+	SEKeyLabel string `json:"seKeyLabel"`
+	SEKeyHash  string `json:"seKeyHash"`
+}
+
+// SecureEnclaveUnlocker is a stub for non-Darwin platforms.
+type SecureEnclaveUnlocker struct {
+	Directory string
+	Metadata  UnlockerMetadata
+	fs        afero.Fs
+}
+
+// GetIdentity returns an error on non-Darwin platforms.
+func (s *SecureEnclaveUnlocker) GetIdentity() (*age.X25519Identity, error) {
+	return nil, errSENotSupported
+}
+
+// GetType returns the unlocker type.
+func (s *SecureEnclaveUnlocker) GetType() string {
+	return "secure-enclave"
+}
+
+// GetMetadata returns the unlocker metadata.
+func (s *SecureEnclaveUnlocker) GetMetadata() UnlockerMetadata {
+	return s.Metadata
+}
+
+// GetDirectory returns the unlocker directory.
+func (s *SecureEnclaveUnlocker) GetDirectory() string {
+	return s.Directory
+}
+
+// GetID returns the unlocker ID.
+func (s *SecureEnclaveUnlocker) GetID() string {
+	return fmt.Sprintf(
+		"%s-secure-enclave",
+		s.Metadata.CreatedAt.Format("2006-01-02.15.04"),
+	)
+}
+
+// Remove returns an error on non-Darwin platforms.
+func (s *SecureEnclaveUnlocker) Remove() error {
+	return errSENotSupported
+}
+
+// NewSecureEnclaveUnlocker creates a stub SecureEnclaveUnlocker on non-Darwin platforms.
+// The returned instance's methods that require macOS functionality will return errors.
+func NewSecureEnclaveUnlocker(
+	fs afero.Fs,
+	directory string,
+	metadata UnlockerMetadata,
+) *SecureEnclaveUnlocker {
+	return &SecureEnclaveUnlocker{
+		Directory: directory,
+		Metadata:  metadata,
+		fs:        fs,
+	}
+}
+
+// CreateSecureEnclaveUnlocker returns an error on non-Darwin platforms.
+func CreateSecureEnclaveUnlocker(
+	_ afero.Fs,
+	_ string,
+) (*SecureEnclaveUnlocker, error) {
+	return nil, errSENotSupported
+}
--- a/internal/secret/seunlocker_stub_test.go
+++ b/internal/secret/seunlocker_stub_test.go
@@ -0,0 +1,90 @@
+//go:build !darwin
+// +build !darwin
+
+package secret
+
+import (
+	"testing"
+	"time"
+
+	"github.com/spf13/afero"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewSecureEnclaveUnlocker(t *testing.T) {
+	fs := afero.NewMemMapFs()
+	dir := "/tmp/test-se-unlocker"
+	metadata := UnlockerMetadata{
+		Type:      "secure-enclave",
+		CreatedAt: time.Date(2026, 1, 15, 10, 30, 0, 0, time.UTC),
+		Flags:     []string{"secure-enclave", "macos"},
+	}
+
+	unlocker := NewSecureEnclaveUnlocker(fs, dir, metadata)
+	require.NotNil(t, unlocker, "NewSecureEnclaveUnlocker should return a valid instance")
+
+	// Test GetType returns correct type
+	assert.Equal(t, "secure-enclave", unlocker.GetType())
+
+	// Test GetMetadata returns the metadata we passed in
+	assert.Equal(t, metadata, unlocker.GetMetadata())
+
+	// Test GetDirectory returns the directory we passed in
+	assert.Equal(t, dir, unlocker.GetDirectory())
+
+	// Test GetID returns a formatted string with the creation timestamp
+	expectedID := "2026-01-15.10.30-secure-enclave"
+	assert.Equal(t, expectedID, unlocker.GetID())
+}
+
+func TestSecureEnclaveUnlockerGetIdentityReturnsError(t *testing.T) {
+	fs := afero.NewMemMapFs()
+	metadata := UnlockerMetadata{
+		Type:      "secure-enclave",
+		CreatedAt: time.Now().UTC(),
+	}
+
+	unlocker := NewSecureEnclaveUnlocker(fs, "/tmp/test", metadata)
+
+	identity, err := unlocker.GetIdentity()
+	assert.Nil(t, identity)
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, errSENotSupported)
+}
+
+func TestSecureEnclaveUnlockerRemoveReturnsError(t *testing.T) {
+	fs := afero.NewMemMapFs()
+	metadata := UnlockerMetadata{
+		Type:      "secure-enclave",
+		CreatedAt: time.Now().UTC(),
+	}
+
+	unlocker := NewSecureEnclaveUnlocker(fs, "/tmp/test", metadata)
+
+	err := unlocker.Remove()
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, errSENotSupported)
+}
+
+func TestCreateSecureEnclaveUnlockerReturnsError(t *testing.T) {
+	fs := afero.NewMemMapFs()
+
+	unlocker, err := CreateSecureEnclaveUnlocker(fs, "/tmp/test")
+	assert.Nil(t, unlocker)
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, errSENotSupported)
+}
+
+func TestSecureEnclaveUnlockerImplementsInterface(t *testing.T) {
+	fs := afero.NewMemMapFs()
+	metadata := UnlockerMetadata{
+		Type:      "secure-enclave",
+		CreatedAt: time.Now().UTC(),
+	}
+
+	unlocker := NewSecureEnclaveUnlocker(fs, "/tmp/test", metadata)
+
+	// Verify the stub implements the Unlocker interface
+	var _ Unlocker = unlocker
+}
--- a/internal/secret/seunlocker_test.go
+++ b/internal/secret/seunlocker_test.go
@@ -0,0 +1,101 @@
+//go:build darwin
+// +build darwin
+
+package secret
+
+import (
+	"testing"
+	"time"
+
+	"github.com/spf13/afero"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewSecureEnclaveUnlocker(t *testing.T) {
+	fs := afero.NewMemMapFs()
+	dir := "/tmp/test-se-unlocker"
+	metadata := UnlockerMetadata{
+		Type:      "secure-enclave",
+		CreatedAt: time.Date(2026, 1, 15, 10, 30, 0, 0, time.UTC),
+		Flags:     []string{"secure-enclave", "macos"},
+	}
+
+	unlocker := NewSecureEnclaveUnlocker(fs, dir, metadata)
+	require.NotNil(t, unlocker, "NewSecureEnclaveUnlocker should return a valid instance")
+
+	// Test GetType returns correct type
+	assert.Equal(t, seUnlockerType, unlocker.GetType())
+
+	// Test GetMetadata returns the metadata we passed in
+	assert.Equal(t, metadata, unlocker.GetMetadata())
+
+	// Test GetDirectory returns the directory we passed in
+	assert.Equal(t, dir, unlocker.GetDirectory())
+}
+
+func TestSecureEnclaveUnlockerImplementsInterface(t *testing.T) {
+	fs := afero.NewMemMapFs()
+	metadata := UnlockerMetadata{
+		Type:      "secure-enclave",
+		CreatedAt: time.Now().UTC(),
+	}
+
+	unlocker := NewSecureEnclaveUnlocker(fs, "/tmp/test", metadata)
+
+	// Verify the darwin implementation implements the Unlocker interface
+	var _ Unlocker = unlocker
+}
+
+func TestSecureEnclaveUnlockerGetIDFormat(t *testing.T) {
+	fs := afero.NewMemMapFs()
+	metadata := UnlockerMetadata{
+		Type:      "secure-enclave",
+		CreatedAt: time.Date(2026, 3, 10, 14, 30, 0, 0, time.UTC),
+	}
+
+	unlocker := NewSecureEnclaveUnlocker(fs, "/tmp/test", metadata)
+	id := unlocker.GetID()
+
+	// ID should contain the timestamp and "secure-enclave" type
+	assert.Contains(t, id, "2026-03-10.14.30")
+	assert.Contains(t, id, seUnlockerType)
+}
+
+func TestGenerateSEKeyLabel(t *testing.T) {
+	label, err := generateSEKeyLabel("test-vault")
+	require.NoError(t, err)
+
+	// Label should contain the prefix and vault name
+	assert.Contains(t, label, seKeyLabelPrefix)
+	assert.Contains(t, label, "test-vault")
+}
+
+func TestSecureEnclaveUnlockerGetIdentityMissingFile(t *testing.T) {
+	fs := afero.NewMemMapFs()
+	dir := "/tmp/test-se-unlocker-missing"
+
+	// Create unlocker directory with metadata but no encrypted key file
+	require.NoError(t, fs.MkdirAll(dir, DirPerms))
+
+	metadataJSON := `{
+		"type": "secure-enclave",
+		"createdAt": "2026-01-15T10:30:00Z",
+		"seKeyLabel": "berlin.sneak.app.secret.se.test",
+		"seKeyHash": "abc123"
+	}`
+	require.NoError(t, afero.WriteFile(fs, dir+"/unlocker-metadata.json", []byte(metadataJSON), FilePerms))
+
+	metadata := UnlockerMetadata{
+		Type:      "secure-enclave",
+		CreatedAt: time.Date(2026, 1, 15, 10, 30, 0, 0, time.UTC),
+	}
+
+	unlocker := NewSecureEnclaveUnlocker(fs, dir, metadata)
+
+	// GetIdentity should fail because the encrypted longterm key file is missing
+	identity, err := unlocker.GetIdentity()
+	assert.Nil(t, identity)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "failed to read SE-encrypted long-term key")
+}