Merge branch 'add-list-remove-commands'

The function was using defer to destroy password buffers, which caused
the buffers to be freed before the function returned. This led to a
SIGBUS error when trying to access the destroyed buffer's memory.

Changed to manual memory management to ensure buffers are only destroyed
when no longer needed, and the first buffer is returned directly to the
caller who is responsible for destroying it.

.claude/settings.local.json

@@ -23,7 +23,11 @@
       "Bash(ls:*)",
       "WebFetch(domain:golangci-lint.run)",
       "Bash(go:*)",
-      "WebFetch(domain:pkg.go.dev)"
+      "WebFetch(domain:pkg.go.dev)",
+      "Bash(CGO_ENABLED=1 make fmt)",
+      "Bash(CGO_ENABLED=1 make test)",
+      "Bash(git merge:*)",
+      "Bash(git branch:*)"
     ],
     "deny": []
   }

.dockerignore

@@ -0,0 +1,21 @@
+# Build artifacts
+secret
+coverage.out
+*.test
+
+# IDE and editor files
+.vscode
+.idea
+*.swp
+*.swo
+*~
+
+# macOS
+.DS_Store
+
+# Claude files
+.claude/
+
+# Local settings
+.golangci.yml
+.claude/settings.local.json

.golangci.yml

@@ -64,6 +64,14 @@ linters-settings:
   nlreturn:
     block-size: 2
 
+  revive:
+    rules:
+      - name: var-naming
+        arguments:
+          - []
+          - []
+          - "upperCaseConst=true"
+
   tagliatelle:
     case:
       rules:
@@ -89,3 +97,32 @@ issues:
     - text: "parameter '(args|cmd)' seems to be unused"
       linters:
         - revive
+
+    # Allow ALL_CAPS constant names
+    - text: "don't use ALL_CAPS in Go names"
+      linters:
+        - revive
+
+    # Exclude all linters for internal/macse directory
+    - path: "internal/macse/.*"
+      linters:
+        - errcheck
+        - lll
+        - mnd
+        - nestif
+        - nlreturn
+        - revive
+        - unconvert
+        - govet
+        - staticcheck
+        - unused
+        - ineffassign
+        - misspell
+        - gosec
+        - unparam
+        - testifylint
+        - usetesting
+        - tagliatelle
+        - nilnil
+        - intrange
+        - gochecknoglobals

Dockerfile

@@ -0,0 +1,50 @@
+# Build stage
+FROM golang:1.24-alpine AS builder
+
+# Install build dependencies
+RUN apk add --no-cache \
+    gcc \
+    musl-dev \
+    make \
+    git
+
+# Set working directory
+WORKDIR /build
+
+# Copy go mod files
+COPY go.mod go.sum ./
+
+# Download dependencies
+RUN go mod download
+
+# Copy source code
+COPY . .
+
+# Build the binary
+RUN CGO_ENABLED=1 go build -v -o secret cmd/secret/main.go
+
+# Runtime stage
+FROM alpine:latest
+
+# Install runtime dependencies
+RUN apk add --no-cache \
+    ca-certificates \
+    gnupg
+
+# Create non-root user
+RUN adduser -D -s /bin/sh secret
+
+# Copy binary from builder
+COPY --from=builder /build/secret /usr/local/bin/secret
+
+# Ensure binary is executable
+RUN chmod +x /usr/local/bin/secret
+
+# Switch to non-root user
+USER secret
+
+# Set working directory
+WORKDIR /home/secret
+
+# Set entrypoint
+ENTRYPOINT ["secret"]

Makefile

@@ -1,3 +1,6 @@
+export CGO_ENABLED=1
+export DOCKER_HOST := ssh://root@ber1app1.local
+
 default: check
 
 build: ./secret
@@ -21,6 +24,14 @@ lint:
 # Check all code quality (build + vet + lint + unit tests)
 check: ./secret vet lint test
 
+# Build Docker container
+docker: 
+	docker build -t sneak/secret .
+
+# Run Docker container interactively
+docker-run:
+	docker run --rm -it sneak/secret
+
 # Clean build artifacts
 clean:
 	rm -f ./secret

README.md

@@ -1,12 +1,12 @@
 # Secret - Hierarchical Secret Manager
 
-Secret is a modern, secure command-line secret manager that implements a hierarchical key architecture for storing and managing sensitive data. It supports multiple vaults, various unlock mechanisms, and provides secure storage using the Age encryption library.
+Secret is a command-line secret manager that implements a hierarchical key architecture for storing and managing sensitive data. It supports multiple vaults, various unlock mechanisms, and provides secure storage using the Age encryption library.
 
 ## Core Architecture
 
 ### Three-Layer Key Hierarchy
 
-Secret implements a sophisticated three-layer key architecture:
+Secret implements a three-layer key architecture:
 
 1. **Long-term Keys**: Derived from BIP39 mnemonic phrases, these provide the foundation for all encryption
 2. **Unlockers**: Short-term keys that encrypt the long-term keys, supporting multiple authentication methods
@@ -16,7 +16,7 @@ Secret implements a sophisticated three-layer key architecture:
 
 Each secret maintains a history of versions, with each version having:
 - Its own encryption key pair
-- Encrypted metadata including creation time and validity period
+- Metadata (unencrypted) including creation time and validity period
 - Immutable value storage
 - Atomic version switching via symlink updates
 
@@ -69,8 +69,8 @@ Initializes the secret manager with a default vault. Prompts for a BIP39 mnemoni
 
 ### Vault Management
 
-#### `secret vault list [--json]`
-Lists all available vaults.
+#### `secret vault list [--json]` / `secret vault ls`
+Lists all available vaults. The current vault is marked.
 
 #### `secret vault create <name>`
 Creates a new vault with the specified name.
@@ -78,6 +78,12 @@ Creates a new vault with the specified name.
 #### `secret vault select <name>`
 Switches to the specified vault for subsequent operations.
 
+#### `secret vault remove <name> [--force]` / `secret vault rm` ⚠️ 🛑
+**DANGER**: Permanently removes a vault and all its secrets. Like Unix `rm`, this command does not ask for confirmation.
+Requires --force if the vault contains secrets. With --force, will automatically switch to another vault if removing the current one.
+- `--force, -f`: Force removal even if vault contains secrets
+- **NO RECOVERY**: All secrets in the vault will be permanently deleted
+
 ### Secret Management
 
 #### `secret add <secret-name> [--force]`
@@ -95,14 +101,24 @@ Retrieves and outputs a secret value to stdout.
 #### `secret list [filter] [--json]` / `secret ls`
 Lists all secrets in the current vault. Optional filter for substring matching.
 
+#### `secret remove <secret-name>` / `secret rm` ⚠️ 🛑
+**DANGER**: Permanently removes a secret and ALL its versions. Like Unix `rm`, this command does not ask for confirmation.
+- **NO RECOVERY**: Once removed, the secret cannot be recovered
+- **ALL VERSIONS DELETED**: Every version of the secret will be permanently deleted
+
 ### Version Management
 
-#### `secret version list <secret-name>`
+#### `secret version list <secret-name>` / `secret version ls`
 Lists all versions of a secret showing creation time, status, and validity period.
 
 #### `secret version promote <secret-name> <version>`
 Promotes a specific version to current by updating the symlink. Does not modify any timestamps, allowing for rollback scenarios.
 
+#### `secret version remove <secret-name> <version>` / `secret version rm` ⚠️ 🛑
+**DANGER**: Permanently removes a specific version of a secret. Like Unix `rm`, this command does not ask for confirmation.
+- **NO RECOVERY**: Once removed, this version cannot be recovered
+- Cannot remove the current version (must promote another version first)
+
 ### Key Generation
 
 #### `secret generate mnemonic`
@@ -116,7 +132,7 @@ Generates and stores a random secret.
 
 ### Unlocker Management
 
-#### `secret unlockers list [--json]`
+#### `secret unlockers list [--json]` / `secret unlockers ls`
 Lists all unlockers in the current vault with their metadata.
 
 #### `secret unlockers add <type> [options]`
@@ -125,12 +141,17 @@ Creates a new unlocker of the specified type:
 **Types:**
 - `passphrase`: Traditional passphrase-protected unlocker
 - `pgp`: Uses an existing GPG key for encryption/decryption
+- `keychain`: macOS Keychain integration (macOS only)
 
 **Options:**
 - `--keyid <id>`: GPG key ID (required for PGP type)
 
-#### `secret unlockers rm <unlocker-id>`
-Removes an unlocker.
+#### `secret unlockers remove <unlocker-id> [--force]` / `secret unlockers rm` ⚠️ 🛑
+**DANGER**: Permanently removes an unlocker. Like Unix `rm`, this command does not ask for confirmation.
+Cannot remove the last unlocker if the vault has secrets unless --force is used.
+- `--force, -f`: Force removal of last unlocker even if vault has secrets
+- **CRITICAL WARNING**: Without unlockers and without your mnemonic phrase, vault data will be PERMANENTLY INACCESSIBLE
+- **NO RECOVERY**: Removing all unlockers without having your mnemonic means losing access to all secrets forever
 
 #### `secret unlocker select <unlocker-id>`
 Selects an unlocker as the current default for operations.
@@ -169,7 +190,7 @@ Decrypts data using an Age key stored as a secret.
 │   │   │   │   │   │   ├── pub.age     # Version public key
 │   │   │   │   │   │   ├── priv.age    # Version private key (encrypted)
 │   │   │   │   │   │   ├── value.age   # Encrypted value
-│   │   │   │   │   │   └── metadata.age # Encrypted metadata
+│   │   │   │   │   │   └── metadata.json # Unencrypted metadata
 │   │   │   │   │   └── 20231216.001/   # Another version
 │   │   │   │   └── current -> versions/20231216.001
 │   │   │   └── database%password/       # Secret: database/password
@@ -207,6 +228,18 @@ Unlockers provide different authentication methods to access the long-term keys:
    - Leverages existing key management workflows
    - Strong authentication through GPG
 
+3. **Keychain Unlockers** (macOS only):
+   - Stores unlock keys in macOS Keychain
+   - Protected by system authentication (Touch ID, password)
+   - Automatic unlocking when Keychain is unlocked
+   - Cross-application integration
+
+4. **Secure Enclave Unlockers** (macOS - planned):
+   - Hardware-backed key storage using Apple Secure Enclave
+   - Currently partially implemented but non-functional
+   - Requires Apple Developer Program membership and code signing entitlements
+   - Full implementation blocked by entitlement requirements
+
 Each vault maintains its own set of unlockers and one long-term key. The long-term key is encrypted to each unlocker, allowing any authorized unlocker to access vault secrets.
 
 #### Secret-specific Keys
@@ -241,6 +274,8 @@ Each vault maintains its own set of unlockers and one long-term key. The long-te
 
 ### Hardware Integration
 - Hardware token support via PGP/GPG integration
+- macOS Keychain integration for system-level security
+- Secure Enclave support planned (requires Apple Developer Program)
 
 ## Examples
 
@@ -259,6 +294,9 @@ echo "ssh-private-key-content" | secret add ssh/servers/web01
 secret list
 secret get database/prod/password
 secret get services/api/key
+
+# Remove a secret ⚠️ 🛑 (NO CONFIRMATION - PERMANENT!)
+secret remove ssh/servers/web01
 ```
 
 ### Multi-vault Setup
@@ -278,6 +316,9 @@ echo "personal-email-pass" | secret add email/password
 
 # List all vaults
 secret vault list
+
+# Remove a vault ⚠️ 🛑 (NO CONFIRMATION - PERMANENT!)
+secret vault remove personal --force
 ```
 
 ### Advanced Authentication
@@ -285,12 +326,28 @@ secret vault list
 # Add multiple unlock methods
 secret unlockers add passphrase              # Password-based
 secret unlockers add pgp --keyid ABCD1234    # GPG key
+secret unlockers add keychain                # macOS Keychain (macOS only)
 
 # List unlockers
 secret unlockers list
 
 # Select a specific unlocker
 secret unlocker select <unlocker-id>
+
+# Remove an unlocker ⚠️ 🛑 (NO CONFIRMATION!)
+secret unlockers remove <unlocker-id>
+```
+
+### Version Management
+```bash
+# List all versions of a secret
+secret version list database/prod/password
+
+# Promote an older version to current
+secret version promote database/prod/password 20231215.001
+
+# Remove an old version ⚠️ 🛑 (NO CONFIRMATION - PERMANENT!)
+secret version remove database/prod/password 20231214.001
 ```
 
 ### Encryption/Decryption with Age Keys
@@ -316,7 +373,7 @@ secret decrypt encryption/mykey --input document.txt.age --output document.txt
 
 ### File Formats
 - **Age Files**: Standard Age encryption format (.age extension)
-- **Metadata**: JSON format with timestamps and type information
+- **Metadata**: Unencrypted JSON format with timestamps and type information
 - **Vault Metadata**: JSON containing vault name, creation time, derivation index, and public key hash
 
 ### Vault Management
@@ -325,8 +382,8 @@ secret decrypt encryption/mykey --input document.txt.age --output document.txt
 - **Automatic Key Derivation**: When creating vaults with a mnemonic, keys are automatically derived
 
 ### Cross-Platform Support
-- **macOS**: Full support including Keychain integration
-- **Linux**: Full support (excluding Keychain features)
+- **macOS**: Full support including Keychain and planned Secure Enclave integration
+- **Linux**: Full support (excluding macOS-specific features)
 - **Windows**: Basic support (filesystem operations only)
 
 ## Security Considerations
@@ -367,9 +424,18 @@ go test -tags=integration -v ./internal/cli  # Integration tests
 
 ## Features
 
-- **Multiple Authentication Methods**: Supports passphrase-based and PGP-based unlockers
+- **Multiple Authentication Methods**: Supports passphrase, PGP, and macOS Keychain unlockers
 - **Vault Isolation**: Complete separation between different vaults
 - **Per-Secret Encryption**: Each secret has its own encryption key
 - **BIP39 Mnemonic Support**: Keyless operation using mnemonic phrases
 - **Cross-Platform**: Works on macOS, Linux, and other Unix-like systems
 
+# Author
+
+Made with love and lots of expensive SOTA AI by [sneak](https://sneak.berlin) in Berlin in the summer of 2025.
+
+Released as a free software gift to the world, no strings attached, under the [WTFPL](https://www.wtfpl.net/) license.
+
+Contact: [sneak@sneak.berlin](mailto:sneak@sneak.berlin)
+
+[https://keys.openpgp.org/vks/v1/by-fingerprint/5539AD00DE4C42F3AFE11575052443F4DF2A55C2](https://keys.openpgp.org/vks/v1/by-fingerprint/5539AD00DE4C42F3AFE11575052443F4DF2A55C2)

TODO.md

@@ -4,6 +4,51 @@ This document outlines the bugs, issues, and improvements that need to be
 addressed before the 1.0 release of the secret manager. Items are
 prioritized from most critical (top) to least critical (bottom).
 
+## CRITICAL BLOCKERS FOR 1.0 RELEASE
+
+### Command Injection Vulnerabilities
+- [ ] **1. PGP command injection risk**: `internal/secret/pgpunlocker.go:323-327` - GPG key IDs passed directly to exec.Command without proper escaping
+- [ ] **2. Keychain command injection risk**: `internal/secret/keychainunlocker.go:472-476` - data.String() passed to security command without escaping
+
+### Memory Security Critical Issues
+- [ ] **3. Plain text passphrase in memory**: `internal/secret/keychainunlocker.go:342,393-396` - KeychainData struct stores AgePrivKeyPassphrase as unprotected string
+- [ ] **4. Sensitive string conversions**: `internal/secret/keychainunlocker.go:356`, `internal/secret/pgpunlocker.go:256`, `internal/secret/version.go:155` - Age identity .String() creates unprotected copies
+
+### Race Conditions (Data Corruption Risk)
+- [ ] **5. No file locking mechanism**: `internal/vault/secrets.go:142-176` - Multiple concurrent operations can corrupt vault state
+- [ ] **6. Non-atomic file operations**: Various locations - Interrupted writes leave vault inconsistent
+
+### Input Validation Vulnerabilities
+- [ ] **7. Path traversal risk**: `internal/vault/secrets.go:75-99` - Secret names allow dots which could enable traversal attacks with encoding
+- [ ] **8. Missing size limits**: `internal/vault/secrets.go:102` - No maximum secret size allows DoS via memory exhaustion
+
+### Timing Attack Vulnerabilities
+- [ ] **9. Non-constant-time passphrase comparison**: `internal/cli/init.go:209-216` - bytes.Equal() vulnerable to timing attacks
+- [ ] **10. Non-constant-time key validation**: `internal/vault/vault.go:95-100` - Public key comparison leaks timing information
+
+## CRITICAL MEMORY SECURITY ISSUES
+
+### Functions accepting bare []byte for sensitive data
+- [x] **1. Secret.Save accepts unprotected data**: `internal/secret/secret.go:67` - `Save(value []byte, force bool)` - ✓ REMOVED - deprecated function deleted
+- [x] **2. EncryptWithPassphrase accepts unprotected data**: `internal/secret/crypto.go:73` - `EncryptWithPassphrase(data []byte, passphrase *memguard.LockedBuffer)` - ✓ FIXED - now accepts LockedBuffer for data
+- [x] **3. storeInKeychain accepts unprotected data**: `internal/secret/keychainunlocker.go:469` - `storeInKeychain(itemName string, data []byte)` - ✓ FIXED - now accepts LockedBuffer for data
+- [x] **4. gpgEncryptDefault accepts unprotected data**: `internal/secret/pgpunlocker.go:351` - `gpgEncryptDefault(data []byte, keyID string)` - ✓ FIXED - now accepts LockedBuffer for data
+
+### Functions returning unprotected secrets
+- [x] **5. GetValue returns unprotected secret**: `internal/secret/secret.go:93` - `GetValue(unlocker Unlocker) ([]byte, error)` - ✓ FIXED - now returns LockedBuffer internally
+- [x] **6. DecryptWithIdentity returns unprotected data**: `internal/secret/crypto.go:57` - `DecryptWithIdentity(data []byte, identity age.Identity) ([]byte, error)` - ✓ FIXED - now returns LockedBuffer
+- [x] **7. DecryptWithPassphrase returns unprotected data**: `internal/secret/crypto.go:94` - `DecryptWithPassphrase(encryptedData []byte, passphrase *memguard.LockedBuffer) ([]byte, error)` - ✓ FIXED - now returns LockedBuffer
+- [x] **8. gpgDecryptDefault returns unprotected data**: `internal/secret/pgpunlocker.go:368` - `gpgDecryptDefault(encryptedData []byte) ([]byte, error)` - ✓ FIXED - now returns LockedBuffer
+- [x] **9. getSecretValue returns unprotected data**: `internal/cli/crypto.go:269` - `getSecretValue()` returns bare []byte - ✓ ALREADY FIXED - returns LockedBuffer
+
+### Intermediate string variables for passphrases
+- [x] **10. Passphrase extracted to string**: `internal/secret/crypto.go:79,100` - `passphraseStr := passphrase.String()` - ✓ UNAVOIDABLE - age library requires string parameter
+- [ ] **11. Age secret key in plain string**: `internal/cli/crypto.go:86,91,113` - Age secret key stored in plain string variable before conversion back to secure buffer
+
+### Unprotected buffer.Bytes() usage
+- [ ] **12. GPG encrypt exposes private key**: `internal/secret/pgpunlocker.go:256` - `GPGEncryptFunc(agePrivateKeyBuffer.Bytes(), gpgKeyID)` - private key exposed to external function
+- [ ] **13. Keychain encrypt exposes private key**: `internal/secret/keychainunlocker.go:371` - `EncryptWithPassphrase(agePrivKeyBuffer.Bytes(), passphraseBuffer)` - private key passed as bare bytes
+
 ## Code Cleanups
 
 * we shouldn't be passing around a statedir, it should be read from the

coverage.out

@@ -0,0 +1,102 @@
+mode: set
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:57.41,60.38 2 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:60.38,61.41 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:65.2,70.3 3 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:74.50,76.2 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:79.85,81.28 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:81.28,83.3 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:86.2,87.16 2 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:87.16,89.3 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:92.2,93.16 2 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:93.16,95.3 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:98.2,98.35 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:102.89,105.16 2 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:105.16,107.3 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:110.2,114.21 4 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:118.99,119.46 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:119.46,121.3 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:124.2,134.39 5 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:134.39,137.15 2 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:137.15,140.4 2 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:143.3,145.17 3 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:145.17,147.4 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:150.3,150.15 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:150.15,152.4 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:155.3,156.17 2 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:156.17,158.4 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:160.3,160.14 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:163.2,163.17 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:167.107,171.16 3 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:171.16,173.3 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:177.2,186.15 3 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:187.15,188.13 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:189.15,190.13 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:191.15,192.13 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:193.15,194.13 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:195.15,196.13 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:197.10,198.64 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:202.2,204.21 2 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:208.84,212.16 3 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:212.16,214.3 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:217.2,222.16 4 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:222.16,224.3 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:226.2,226.26 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:230.99,234.16 3 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:234.16,236.3 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:239.2,251.45 6 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:251.45,253.3 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:256.2,275.45 12 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:279.39,284.2 3 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:287.91,288.36 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:288.36,290.3 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:292.2,295.16 3 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:295.16,297.3 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:300.2,302.41 2 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:306.100,307.32 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:307.32,309.3 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:311.2,314.16 3 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:314.16,316.3 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:319.2,325.35 3 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:325.35,327.3 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:329.2,329.33 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:333.100,334.32 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:334.32,336.3 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:338.2,341.16 3 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:341.16,343.3 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:346.2,349.32 2 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:349.32,351.3 1 0
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:353.2,353.30 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:357.57,375.52 7 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:375.52,381.46 3 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:381.46,385.4 3 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:387.3,387.20 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:390.2,390.21 1 1
+git.eeqj.de/sneak/secret/pkg/bip85/bip85.go:394.67,396.2 1 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:32.22,36.2 3 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:40.67,41.31 1 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:41.31,43.3 1 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:46.2,55.16 6 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:55.16,57.3 1 0
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:58.2,59.16 2 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:59.16,61.3 1 0
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:63.2,63.52 1 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:68.63,74.16 3 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:74.16,76.3 1 0
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:79.2,83.16 3 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:83.16,85.3 1 0
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:88.2,91.16 4 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:91.16,93.3 1 0
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:95.2,95.17 1 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:100.67,103.16 2 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:103.16,105.3 1 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:108.2,112.16 3 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:112.16,114.3 1 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:117.2,120.16 4 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:120.16,122.3 1 0
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:124.2,124.17 1 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:129.77,131.16 2 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:131.16,133.3 1 0
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:135.2,135.33 1 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:140.81,142.16 2 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:142.16,144.3 1 1
+git.eeqj.de/sneak/secret/pkg/agehd/agehd.go:146.2,146.33 1 1

go.mod

@@ -9,6 +9,7 @@ require (
 	github.com/btcsuite/btcd/btcec/v2 v2.1.3
 	github.com/btcsuite/btcd/btcutil v1.1.6
 	github.com/btcsuite/btcutil v0.0.0-20190425235716-9e5f4b9a998d
+	github.com/keybase/go-keychain v0.0.0-20230307172405-3e4884637dd1
 	github.com/oklog/ulid/v2 v2.1.1
 	github.com/spf13/afero v1.14.0
 	github.com/spf13/cobra v1.9.1

go.sum

@@ -63,6 +63,8 @@ github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLf
 github.com/jessevdk/go-flags v0.0.0-20141203071132-1679536dcc89/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/jrick/logrotate v1.0.0/go.mod h1:LNinyqDIJnpAur+b8yyulnQw/wDuN1+BYKlTRt3OuAQ=
+github.com/keybase/go-keychain v0.0.0-20230307172405-3e4884637dd1 h1:yi1W8qcFJ2plmaGJFN1npm0KQviWPMCtQOYuwDT6Swk=
+github.com/keybase/go-keychain v0.0.0-20230307172405-3e4884637dd1/go.mod h1:qDHUvIjGZJUtdPtuP4WMu5/U4aVWbFw1MhlkJqCGmCQ=
 github.com/kkdai/bstream v0.0.0-20161212061736-f391b8402d23/go.mod h1:J+Gs4SYgM6CZQHDETBtE9HaSEkGmuNXF86RwHhHUvq4=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/oklog/ulid/v2 v2.1.1 h1:suPZ4ARWLOJLegGFiZZ1dFAkqzhMjL3J1TzI+5wHz8s=

internal/cli/cli.go

@@ -2,21 +2,11 @@
 package cli
 
 import (
-	"bufio"
-	"fmt"
-	"os"
-	"strings"
-	"syscall"
-
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
-	"golang.org/x/term"
 )
 
-// Global scanner for consistent stdin reading
-var stdinScanner *bufio.Scanner //nolint:gochecknoglobals // Needed for consistent stdin handling
-
 // Instance encapsulates all CLI functionality and state
 type Instance struct {
 	fs       afero.Fs
@@ -67,33 +57,3 @@ func (cli *Instance) SetStateDir(stateDir string) {
 func (cli *Instance) GetStateDir() string {
 	return cli.stateDir
 }
-
-// getStdinScanner returns a shared scanner for stdin to avoid buffering issues
-func getStdinScanner() *bufio.Scanner {
-	if stdinScanner == nil {
-		stdinScanner = bufio.NewScanner(os.Stdin)
-	}
-
-	return stdinScanner
-}
-
-// readLineFromStdin reads a single line from stdin with a prompt
-// Uses a shared scanner to avoid buffering issues between multiple calls
-func readLineFromStdin(prompt string) (string, error) {
-	// Check if stderr is a terminal - if not, we can't prompt interactively
-	if !term.IsTerminal(syscall.Stderr) {
-		return "", fmt.Errorf("cannot prompt for input: stderr is not a terminal (running in non-interactive mode)")
-	}
-
-	fmt.Fprint(os.Stderr, prompt) // Write prompt to stderr, not stdout
-	scanner := getStdinScanner()
-	if !scanner.Scan() {
-		if err := scanner.Err(); err != nil {
-			return "", fmt.Errorf("failed to read from stdin: %w", err)
-		}
-
-		return "", fmt.Errorf("failed to read from stdin: EOF")
-	}
-
-	return strings.TrimSpace(scanner.Text()), nil
-}

internal/cli/crypto.go

@@ -96,21 +96,13 @@ func (cli *Instance) Encrypt(secretName, inputFile, outputFile string) error {
 		}
 	} else {
 		// Secret exists, get the age secret key from it
-		secretValue, err := cli.getSecretValue(vlt, secretObj)
+		secretBuffer, err := cli.getSecretValue(vlt, secretObj)
 		if err != nil {
 			return fmt.Errorf("failed to get secret value: %w", err)
 		}
+		defer secretBuffer.Destroy()
 
-		// Create secure buffer for the secret value
-		secureBuffer := memguard.NewBufferFromBytes(secretValue)
-		defer secureBuffer.Destroy()
-
-		// Clear the original secret value
-		for i := range secretValue {
-			secretValue[i] = 0
-		}
-
-		ageSecretKey = secureBuffer.String()
+		ageSecretKey = secretBuffer.String()
 
 		// Validate that it's a valid age secret key
 		if !isValidAgeSecretKey(ageSecretKey) {
@@ -189,36 +181,28 @@ func (cli *Instance) Decrypt(secretName, inputFile, outputFile string) error {
 	}
 
 	// Get the age secret key from the secret
-	var secretValue []byte
+	var secretBuffer *memguard.LockedBuffer
 	if os.Getenv(secret.EnvMnemonic) != "" {
-		secretValue, err = secretObj.GetValue(nil)
+		secretBuffer, err = secretObj.GetValue(nil)
 	} else {
 		unlocker, unlockErr := vlt.GetCurrentUnlocker()
 		if unlockErr != nil {
 			return fmt.Errorf("failed to get current unlocker: %w", unlockErr)
 		}
-		secretValue, err = secretObj.GetValue(unlocker)
+		secretBuffer, err = secretObj.GetValue(unlocker)
 	}
 	if err != nil {
 		return fmt.Errorf("failed to get secret value: %w", err)
 	}
-
-	// Create secure buffer for the secret value
-	secureBuffer := memguard.NewBufferFromBytes(secretValue)
-	defer secureBuffer.Destroy()
-
-	// Clear the original secret value
-	for i := range secretValue {
-		secretValue[i] = 0
-	}
+	defer secretBuffer.Destroy()
 
 	// Validate that it's a valid age secret key
-	if !isValidAgeSecretKey(secureBuffer.String()) {
+	if !isValidAgeSecretKey(secretBuffer.String()) {
 		return fmt.Errorf("secret '%s' does not contain a valid age secret key", secretName)
 	}
 
 	// Parse the age secret key to get the identity
-	identity, err := age.ParseX25519Identity(secureBuffer.String())
+	identity, err := age.ParseX25519Identity(secretBuffer.String())
 	if err != nil {
 		return fmt.Errorf("failed to parse age secret key: %w", err)
 	}
@@ -266,7 +250,7 @@ func isValidAgeSecretKey(key string) bool {
 }
 
 // getSecretValue retrieves the value of a secret using the appropriate unlocker
-func (cli *Instance) getSecretValue(vlt *vault.Vault, secretObj *secret.Secret) ([]byte, error) {
+func (cli *Instance) getSecretValue(vlt *vault.Vault, secretObj *secret.Secret) (*memguard.LockedBuffer, error) {
 	if os.Getenv(secret.EnvMnemonic) != "" {
 		return secretObj.GetValue(nil)
 	}

internal/cli/init.go

@@ -60,14 +60,17 @@ func (cli *Instance) Init(cmd *cobra.Command) error {
 		mnemonicStr = envMnemonic
 	} else {
 		secret.Debug("Prompting user for mnemonic phrase")
-		// Read mnemonic from stdin using shared line reader
-		var err error
-		mnemonicStr, err = readLineFromStdin("Enter your BIP39 mnemonic phrase: ")
+		// Read mnemonic securely without echo
+		mnemonicBuffer, err := secret.ReadPassphrase("Enter your BIP39 mnemonic phrase: ")
 		if err != nil {
 			secret.Debug("Failed to read mnemonic from stdin", "error", err)
 
 			return fmt.Errorf("failed to read mnemonic: %w", err)
 		}
+		defer mnemonicBuffer.Destroy()
+
+		mnemonicStr = mnemonicBuffer.String()
+		fmt.Fprintln(os.Stderr) // Add newline after hidden input
 	}
 
 	if mnemonicStr == "" {
@@ -202,20 +205,26 @@ func readSecurePassphrase(prompt string) (*memguard.LockedBuffer, error) {
 	if err != nil {
 		return nil, err
 	}
-	defer passphraseBuffer1.Destroy()
 
 	// Read confirmation passphrase
 	passphraseBuffer2, err := secret.ReadPassphrase("Confirm passphrase: ")
 	if err != nil {
+		passphraseBuffer1.Destroy()
+
 		return nil, fmt.Errorf("failed to read passphrase confirmation: %w", err)
 	}
-	defer passphraseBuffer2.Destroy()
 
 	// Compare passphrases
 	if passphraseBuffer1.String() != passphraseBuffer2.String() {
+		passphraseBuffer1.Destroy()
+		passphraseBuffer2.Destroy()
+
 		return nil, fmt.Errorf("passphrases do not match")
 	}
 
-	// Create a new buffer with the confirmed passphrase
-	return memguard.NewBufferFromBytes(passphraseBuffer1.Bytes()), nil
+	// Clean up the second buffer, we'll return the first
+	passphraseBuffer2.Destroy()
+
+	// Return the first buffer (caller is responsible for destroying it)
+	return passphraseBuffer1, nil
 }

internal/cli/root.go

@@ -34,6 +34,7 @@ func newRootCmd() *cobra.Command {
 	cmd.AddCommand(newAddCmd())
 	cmd.AddCommand(newGetCmd())
 	cmd.AddCommand(newListCmd())
+	cmd.AddCommand(newRemoveCmd())
 	cmd.AddCommand(newUnlockersCmd())
 	cmd.AddCommand(newUnlockerCmd())
 	cmd.AddCommand(newImportCmd())

internal/cli/secrets.go

@@ -4,11 +4,13 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"path/filepath"
 	"strings"
 
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"github.com/awnumar/memguard"
+	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 )
 
@@ -103,6 +105,24 @@ func newImportCmd() *cobra.Command {
 	return cmd
 }
 
+func newRemoveCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:     "remove <secret-name>",
+		Aliases: []string{"rm"},
+		Short:   "Remove a secret from the vault",
+		Long: `Remove a secret and all its versions from the current vault. This action is permanent and ` +
+			`cannot be undone.`,
+		Args: cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			cli := NewCLIInstance()
+
+			return cli.RemoveSecret(cmd, args[0], false)
+		},
+	}
+
+	return cmd
+}
+
 // updateBufferSize updates the buffer size based on usage pattern
 func updateBufferSize(currentSize int, sameSize *int) int {
 	*sameSize++
@@ -448,3 +468,45 @@ func (cli *Instance) ImportSecret(cmd *cobra.Command, secretName, sourceFile str
 
 	return nil
 }
+
+// RemoveSecret removes a secret from the vault
+func (cli *Instance) RemoveSecret(cmd *cobra.Command, secretName string, _ bool) error {
+	// Get current vault
+	currentVlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
+	if err != nil {
+		return err
+	}
+
+	// Check if secret exists
+	vaultDir, err := currentVlt.GetDirectory()
+	if err != nil {
+		return err
+	}
+
+	encodedName := strings.ReplaceAll(secretName, "/", "%")
+	secretDir := filepath.Join(vaultDir, "secrets.d", encodedName)
+
+	exists, err := afero.DirExists(cli.fs, secretDir)
+	if err != nil {
+		return fmt.Errorf("failed to check if secret exists: %w", err)
+	}
+	if !exists {
+		return fmt.Errorf("secret '%s' not found", secretName)
+	}
+
+	// Count versions for information
+	versionsDir := filepath.Join(secretDir, "versions")
+	versionCount := 0
+	if entries, err := afero.ReadDir(cli.fs, versionsDir); err == nil {
+		versionCount = len(entries)
+	}
+
+	// Remove the secret directory
+	if err := cli.fs.RemoveAll(secretDir); err != nil {
+		return fmt.Errorf("failed to remove secret: %w", err)
+	}
+
+	cmd.Printf("Removed secret '%s' (%d version(s) deleted)\n", secretName, versionCount)
+
+	return nil
+}

internal/cli/secrets_size_test.go

@@ -257,22 +257,22 @@ func TestImportSecretVariousSizes(t *testing.T) {
 func TestAddSecretBufferGrowth(t *testing.T) {
 	// Test various sizes that should trigger buffer growth
 	sizes := []int{
-		1,        // Single byte
-		100,      // Small
-		4095,     // Just under initial 4KB
-		4096,     // Exactly 4KB
-		4097,     // Just over 4KB
-		8191,     // Just under 8KB (first double)
-		8192,     // Exactly 8KB
-		8193,     // Just over 8KB
-		12288,    // 12KB (should trigger second double)
-		16384,    // 16KB
-		32768,    // 32KB (after more doublings)
-		65536,    // 64KB
-		131072,   // 128KB
-		524288,   // 512KB
-		1048576,  // 1MB
-		2097152,  // 2MB
+		1,       // Single byte
+		100,     // Small
+		4095,    // Just under initial 4KB
+		4096,    // Exactly 4KB
+		4097,    // Just over 4KB
+		8191,    // Just under 8KB (first double)
+		8192,    // Exactly 8KB
+		8193,    // Just over 8KB
+		12288,   // 12KB (should trigger second double)
+		16384,   // 16KB
+		32768,   // 32KB (after more doublings)
+		65536,   // 64KB
+		131072,  // 128KB
+		524288,  // 512KB
+		1048576, // 1MB
+		2097152, // 2MB
 	}
 
 	for _, size := range sizes {

internal/cli/unlockers.go

@@ -4,7 +4,9 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"os/exec"
 	"path/filepath"
+	"runtime"
 	"strings"
 	"time"
 
@@ -15,9 +17,44 @@ import (
 	"github.com/spf13/cobra"
 )
 
-// Import from init.go
+// getDefaultGPGKey returns the default GPG key ID if available
+func getDefaultGPGKey() (string, error) {
+	// First try to get the configured default key using gpgconf
+	cmd := exec.Command("gpgconf", "--list-options", "gpg")
+	output, err := cmd.Output()
+	if err == nil {
+		lines := strings.Split(string(output), "\n")
+		for _, line := range lines {
+			fields := strings.Split(line, ":")
+			if len(fields) > 9 && fields[0] == "default-key" && fields[9] != "" {
+				// The default key is in field 10 (index 9)
+				return fields[9], nil
+			}
+		}
+	}
 
-// ... existing imports ...
+	// If no default key is configured, get the first secret key
+	cmd = exec.Command("gpg", "--list-secret-keys", "--with-colons")
+	output, err = cmd.Output()
+	if err != nil {
+		return "", fmt.Errorf("failed to list GPG keys: %w", err)
+	}
+
+	// Parse output to find the first usable secret key
+	lines := strings.Split(string(output), "\n")
+	for _, line := range lines {
+		// sec line indicates a secret key
+		if strings.HasPrefix(line, "sec:") {
+			fields := strings.Split(line, ":")
+			// Field 5 contains the key ID
+			if len(fields) > 4 && fields[4] != "" {
+				return fields[4], nil
+			}
+		}
+	}
+
+	return "", fmt.Errorf("no GPG secret keys found")
+}
 
 func newUnlockersCmd() *cobra.Command {
 	cmd := &cobra.Command{
@@ -28,15 +65,16 @@ func newUnlockersCmd() *cobra.Command {
 
 	cmd.AddCommand(newUnlockersListCmd())
 	cmd.AddCommand(newUnlockersAddCmd())
-	cmd.AddCommand(newUnlockersRmCmd())
+	cmd.AddCommand(newUnlockersRemoveCmd())
 
 	return cmd
 }
 
 func newUnlockersListCmd() *cobra.Command {
 	cmd := &cobra.Command{
-		Use:   "list",
-		Short: "List unlockers in the current vault",
+		Use:     "list",
+		Aliases: []string{"ls"},
+		Short:   "List unlockers in the current vault",
 		RunE: func(cmd *cobra.Command, _ []string) error {
 			jsonOutput, _ := cmd.Flags().GetBool("json")
 
@@ -53,14 +91,26 @@ func newUnlockersListCmd() *cobra.Command {
 }
 
 func newUnlockersAddCmd() *cobra.Command {
+	// Build the supported types list based on platform
+	supportedTypes := "passphrase, pgp"
+	if runtime.GOOS == "darwin" {
+		supportedTypes = "passphrase, keychain, pgp"
+	}
+
 	cmd := &cobra.Command{
-		Use:   "add <type>",
+		Use:   "add <type> [keyid]",
 		Short: "Add a new unlocker",
-		Long:  `Add a new unlocker of the specified type (passphrase, keychain, pgp).`,
-		Args:  cobra.ExactArgs(1),
+		Long:  fmt.Sprintf(`Add a new unlocker of the specified type (%s).`, supportedTypes),
+		Args:  cobra.RangeArgs(1, 2), //nolint:mnd // Command accepts 1 or 2 arguments
 		RunE: func(cmd *cobra.Command, args []string) error {
 			cli := NewCLIInstance()
 
+			// For PGP type, check if keyid is provided as positional argument
+			if args[0] == "pgp" && len(args) == 2 {
+				// Override any flag value with the positional argument
+				_ = cmd.Flags().Set("keyid", args[1])
+			}
+
 			return cli.UnlockersAdd(args[0], cmd)
 		},
 	}
@@ -70,17 +120,26 @@ func newUnlockersAddCmd() *cobra.Command {
 	return cmd
 }
 
-func newUnlockersRmCmd() *cobra.Command {
-	return &cobra.Command{
-		Use:   "rm <unlocker-id>",
-		Short: "Remove an unlocker",
-		Args:  cobra.ExactArgs(1),
-		RunE: func(_ *cobra.Command, args []string) error {
+func newUnlockersRemoveCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:     "remove <unlocker-id>",
+		Aliases: []string{"rm"},
+		Short:   "Remove an unlocker",
+		Long: `Remove an unlocker from the current vault. Cannot remove the last unlocker if the vault has ` +
+			`secrets unless --force is used. Warning: Without unlockers and without your mnemonic, vault data ` +
+			`will be permanently inaccessible.`,
+		Args: cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			force, _ := cmd.Flags().GetBool("force")
 			cli := NewCLIInstance()
 
-			return cli.UnlockersRemove(args[0])
+			return cli.UnlockersRemove(args[0], force, cmd)
 		},
 	}
+
+	cmd.Flags().BoolP("force", "f", false, "Force removal of last unlocker even if vault has secrets")
+
+	return cmd
 }
 
 func newUnlockerCmd() *cobra.Command {
@@ -243,6 +302,12 @@ func (cli *Instance) UnlockersList(jsonOutput bool) error {
 
 // UnlockersAdd adds a new unlocker
 func (cli *Instance) UnlockersAdd(unlockerType string, cmd *cobra.Command) error {
+	// Build the supported types list based on platform
+	supportedTypes := "passphrase, pgp"
+	if runtime.GOOS == "darwin" {
+		supportedTypes = "passphrase, keychain, pgp"
+	}
+
 	switch unlockerType {
 	case "passphrase":
 		// Get current vault
@@ -277,6 +342,10 @@ func (cli *Instance) UnlockersAdd(unlockerType string, cmd *cobra.Command) error
 		return nil
 
 	case "keychain":
+		if runtime.GOOS != "darwin" {
+			return fmt.Errorf("keychain unlockers are only supported on macOS")
+		}
+
 		keychainUnlocker, err := secret.CreateKeychainUnlocker(cli.fs, cli.stateDir)
 		if err != nil {
 			return fmt.Errorf("failed to create macOS Keychain unlocker: %w", err)
@@ -290,14 +359,38 @@ func (cli *Instance) UnlockersAdd(unlockerType string, cmd *cobra.Command) error
 		return nil
 
 	case "pgp":
-		// Get GPG key ID from flag or environment variable
+		// Get GPG key ID from flag, environment, or default key
 		var gpgKeyID string
 		if flagKeyID, _ := cmd.Flags().GetString("keyid"); flagKeyID != "" {
 			gpgKeyID = flagKeyID
 		} else if envKeyID := os.Getenv(secret.EnvGPGKeyID); envKeyID != "" {
 			gpgKeyID = envKeyID
 		} else {
-			return fmt.Errorf("GPG key ID required: use --keyid flag or set SB_GPG_KEY_ID environment variable")
+			// Try to get the default GPG key
+			defaultKeyID, err := getDefaultGPGKey()
+			if err != nil {
+				return fmt.Errorf("no GPG key specified and no default key found: %w", err)
+			}
+			gpgKeyID = defaultKeyID
+			cmd.Printf("Using default GPG key: %s\n", gpgKeyID)
+		}
+
+		// Check if this key is already added as an unlocker
+		vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
+		if err != nil {
+			return fmt.Errorf("failed to get current vault: %w", err)
+		}
+
+		// Resolve the GPG key ID to its fingerprint
+		fingerprint, err := secret.ResolveGPGKeyFingerprint(gpgKeyID)
+		if err != nil {
+			return fmt.Errorf("failed to resolve GPG key fingerprint: %w", err)
+		}
+
+		// Check if this GPG key is already added
+		expectedID := fmt.Sprintf("pgp-%s", fingerprint)
+		if err := cli.checkUnlockerExists(vlt, expectedID); err != nil {
+			return fmt.Errorf("GPG key %s is already added as an unlocker", gpgKeyID)
 		}
 
 		pgpUnlocker, err := secret.CreatePGPUnlocker(cli.fs, cli.stateDir, gpgKeyID)
@@ -311,19 +404,53 @@ func (cli *Instance) UnlockersAdd(unlockerType string, cmd *cobra.Command) error
 		return nil
 
 	default:
-		return fmt.Errorf("unsupported unlocker type: %s (supported: passphrase, keychain, pgp)", unlockerType)
+		return fmt.Errorf("unsupported unlocker type: %s (supported: %s)", unlockerType, supportedTypes)
 	}
 }
 
-// UnlockersRemove removes an unlocker
-func (cli *Instance) UnlockersRemove(unlockerID string) error {
+// UnlockersRemove removes an unlocker with safety checks
+func (cli *Instance) UnlockersRemove(unlockerID string, force bool, cmd *cobra.Command) error {
 	// Get current vault
 	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
 		return err
 	}
 
-	return vlt.RemoveUnlocker(unlockerID)
+	// Get list of unlockers
+	unlockers, err := vlt.ListUnlockers()
+	if err != nil {
+		return fmt.Errorf("failed to list unlockers: %w", err)
+	}
+
+	// Check if we're removing the last unlocker
+	if len(unlockers) == 1 {
+		// Check if vault has secrets
+		numSecrets, err := vlt.NumSecrets()
+		if err != nil {
+			return fmt.Errorf("failed to count secrets: %w", err)
+		}
+
+		if numSecrets > 0 && !force {
+			cmd.Println("ERROR: Cannot remove the last unlocker when the vault contains secrets.")
+			cmd.Println("WARNING: Without unlockers, you MUST have your mnemonic phrase to decrypt the vault.")
+			cmd.Println("If you want to proceed anyway, use --force")
+
+			return fmt.Errorf("refusing to remove last unlocker")
+		}
+
+		if numSecrets > 0 && force {
+			cmd.Println("WARNING: Removing the last unlocker. You MUST have your mnemonic phrase to access this vault again!")
+		}
+	}
+
+	// Remove the unlocker
+	if err := vlt.RemoveUnlocker(unlockerID); err != nil {
+		return err
+	}
+
+	cmd.Printf("Removed unlocker '%s'\n", unlockerID)
+
+	return nil
 }
 
 // UnlockerSelect selects an unlocker as current
@@ -336,3 +463,69 @@ func (cli *Instance) UnlockerSelect(unlockerID string) error {
 
 	return vlt.SelectUnlocker(unlockerID)
 }
+
+// checkUnlockerExists checks if an unlocker with the given ID exists
+func (cli *Instance) checkUnlockerExists(vlt *vault.Vault, unlockerID string) error {
+	// Get the list of unlockers and check if any match the ID
+	unlockers, err := vlt.ListUnlockers()
+	if err != nil {
+		return nil // If we can't list unlockers, assume it doesn't exist
+	}
+
+	// Get vault directory to construct unlocker instances
+	vaultDir, err := vlt.GetDirectory()
+	if err != nil {
+		return nil
+	}
+
+	// Check each unlocker's ID
+	for _, metadata := range unlockers {
+		// Construct the unlocker based on type to get its ID
+		unlockersDir := filepath.Join(vaultDir, "unlockers.d")
+		files, err := afero.ReadDir(cli.fs, unlockersDir)
+		if err != nil {
+			continue
+		}
+
+		for _, file := range files {
+			if !file.IsDir() {
+				continue
+			}
+
+			unlockerDir := filepath.Join(unlockersDir, file.Name())
+			metadataPath := filepath.Join(unlockerDir, "unlocker-metadata.json")
+
+			// Check if this matches our metadata
+			metadataBytes, err := afero.ReadFile(cli.fs, metadataPath)
+			if err != nil {
+				continue
+			}
+
+			var diskMetadata secret.UnlockerMetadata
+			if err := json.Unmarshal(metadataBytes, &diskMetadata); err != nil {
+				continue
+			}
+
+			// Match by type and creation time
+			if diskMetadata.Type == metadata.Type && diskMetadata.CreatedAt.Equal(metadata.CreatedAt) {
+				var unlocker secret.Unlocker
+				switch metadata.Type {
+				case "passphrase":
+					unlocker = secret.NewPassphraseUnlocker(cli.fs, unlockerDir, diskMetadata)
+				case "keychain":
+					unlocker = secret.NewKeychainUnlocker(cli.fs, unlockerDir, diskMetadata)
+				case "pgp":
+					unlocker = secret.NewPGPUnlocker(cli.fs, unlockerDir, diskMetadata)
+				}
+
+				if unlocker != nil && unlocker.GetID() == unlockerID {
+					return fmt.Errorf("unlocker already exists")
+				}
+
+				break
+			}
+		}
+	}
+
+	return nil
+}

internal/cli/vault.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"path/filepath"
 	"strings"
 	"time"
 
@@ -27,14 +28,16 @@ func newVaultCmd() *cobra.Command {
 	cmd.AddCommand(newVaultCreateCmd())
 	cmd.AddCommand(newVaultSelectCmd())
 	cmd.AddCommand(newVaultImportCmd())
+	cmd.AddCommand(newVaultRemoveCmd())
 
 	return cmd
 }
 
 func newVaultListCmd() *cobra.Command {
 	cmd := &cobra.Command{
-		Use:   "list",
-		Short: "List available vaults",
+		Use:     "list",
+		Aliases: []string{"ls"},
+		Short:   "List available vaults",
 		RunE: func(cmd *cobra.Command, _ []string) error {
 			jsonOutput, _ := cmd.Flags().GetBool("json")
 
@@ -94,6 +97,27 @@ func newVaultImportCmd() *cobra.Command {
 	}
 }
 
+func newVaultRemoveCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:     "remove <name>",
+		Aliases: []string{"rm"},
+		Short:   "Remove a vault",
+		Long: `Remove a vault. Requires --force if the vault contains secrets. Will automatically ` +
+			`switch to another vault if removing the currently selected one.`,
+		Args: cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			force, _ := cmd.Flags().GetBool("force")
+			cli := NewCLIInstance()
+
+			return cli.RemoveVault(cmd, args[0], force)
+		},
+	}
+
+	cmd.Flags().BoolP("force", "f", false, "Force removal even if vault contains secrets")
+
+	return cmd
+}
+
 // ListVaults lists all available vaults
 func (cli *Instance) ListVaults(cmd *cobra.Command, jsonOutput bool) error {
 	vaults, err := vault.ListVaults(cli.fs, cli.stateDir)
@@ -295,3 +319,90 @@ func (cli *Instance) VaultImport(cmd *cobra.Command, vaultName string) error {
 
 	return nil
 }
+
+// RemoveVault removes a vault with safety checks
+func (cli *Instance) RemoveVault(cmd *cobra.Command, name string, force bool) error {
+	// Get list of all vaults
+	vaults, err := vault.ListVaults(cli.fs, cli.stateDir)
+	if err != nil {
+		return fmt.Errorf("failed to list vaults: %w", err)
+	}
+
+	// Check if vault exists
+	vaultExists := false
+	for _, v := range vaults {
+		if v == name {
+			vaultExists = true
+
+			break
+		}
+	}
+	if !vaultExists {
+		return fmt.Errorf("vault '%s' does not exist", name)
+	}
+
+	// Don't allow removing the last vault
+	if len(vaults) == 1 {
+		return fmt.Errorf("cannot remove the last vault")
+	}
+
+	// Check if this is the current vault
+	currentVault, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
+	if err != nil {
+		return fmt.Errorf("failed to get current vault: %w", err)
+	}
+	isCurrentVault := currentVault.GetName() == name
+
+	// Load the vault to check for secrets
+	vlt := vault.NewVault(cli.fs, cli.stateDir, name)
+	vaultDir, err := vlt.GetDirectory()
+	if err != nil {
+		return fmt.Errorf("failed to get vault directory: %w", err)
+	}
+
+	// Check if vault has secrets
+	secretsDir := filepath.Join(vaultDir, "secrets.d")
+	hasSecrets := false
+	if exists, _ := afero.DirExists(cli.fs, secretsDir); exists {
+		entries, err := afero.ReadDir(cli.fs, secretsDir)
+		if err == nil && len(entries) > 0 {
+			hasSecrets = true
+		}
+	}
+
+	// Require --force if vault has secrets
+	if hasSecrets && !force {
+		return fmt.Errorf("vault '%s' contains secrets; use --force to remove", name)
+	}
+
+	// If removing current vault, switch to another vault first
+	if isCurrentVault {
+		// Find another vault to switch to
+		var newVault string
+		for _, v := range vaults {
+			if v != name {
+				newVault = v
+
+				break
+			}
+		}
+
+		// Switch to the new vault
+		if err := vault.SelectVault(cli.fs, cli.stateDir, newVault); err != nil {
+			return fmt.Errorf("failed to switch to vault '%s': %w", newVault, err)
+		}
+		cmd.Printf("Switched current vault to '%s'\n", newVault)
+	}
+
+	// Remove the vault directory
+	if err := cli.fs.RemoveAll(vaultDir); err != nil {
+		return fmt.Errorf("failed to remove vault directory: %w", err)
+	}
+
+	cmd.Printf("Removed vault '%s'\n", name)
+	if hasSecrets {
+		cmd.Printf("Warning: Vault contained secrets that have been permanently deleted\n")
+	}
+
+	return nil
+}

internal/cli/version.go

@@ -33,9 +33,10 @@ func VersionCommands(cli *Instance) *cobra.Command {
 
 	// List versions command
 	listCmd := &cobra.Command{
-		Use:   "list <secret-name>",
-		Short: "List all versions of a secret",
-		Args:  cobra.ExactArgs(1),
+		Use:     "list <secret-name>",
+		Aliases: []string{"ls"},
+		Short:   "List all versions of a secret",
+		Args:    cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return cli.ListVersions(cmd, args[0])
 		},
@@ -52,7 +53,19 @@ func VersionCommands(cli *Instance) *cobra.Command {
 		},
 	}
 
-	versionCmd.AddCommand(listCmd, promoteCmd)
+	// Remove version command
+	removeCmd := &cobra.Command{
+		Use:     "remove <secret-name> <version>",
+		Aliases: []string{"rm"},
+		Short:   "Remove a specific version of a secret",
+		Long:    "Remove a specific version of a secret. Cannot remove the current version.",
+		Args:    cobra.ExactArgs(2), //nolint:mnd // Command requires exactly 2 arguments: secret-name and version
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return cli.RemoveVersion(cmd, args[0], args[1])
+		},
+	}
+
+	versionCmd.AddCommand(listCmd, promoteCmd, removeCmd)
 
 	return versionCmd
 }
@@ -207,3 +220,60 @@ func (cli *Instance) PromoteVersion(cmd *cobra.Command, secretName string, versi
 
 	return nil
 }
+
+// RemoveVersion removes a specific version of a secret
+func (cli *Instance) RemoveVersion(cmd *cobra.Command, secretName string, version string) error {
+	// Get current vault
+	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
+	if err != nil {
+		return err
+	}
+
+	vaultDir, err := vlt.GetDirectory()
+	if err != nil {
+		return err
+	}
+
+	// Get the encoded secret name
+	encodedName := strings.ReplaceAll(secretName, "/", "%")
+	secretDir := filepath.Join(vaultDir, "secrets.d", encodedName)
+
+	// Check if secret exists
+	exists, err := afero.DirExists(cli.fs, secretDir)
+	if err != nil {
+		return fmt.Errorf("failed to check if secret exists: %w", err)
+	}
+	if !exists {
+		return fmt.Errorf("secret '%s' not found", secretName)
+	}
+
+	// Check if version exists
+	versionDir := filepath.Join(secretDir, "versions", version)
+	exists, err = afero.DirExists(cli.fs, versionDir)
+	if err != nil {
+		return fmt.Errorf("failed to check if version exists: %w", err)
+	}
+	if !exists {
+		return fmt.Errorf("version '%s' not found for secret '%s'", version, secretName)
+	}
+
+	// Get current version
+	currentVersion, err := secret.GetCurrentVersion(cli.fs, secretDir)
+	if err != nil {
+		return fmt.Errorf("failed to get current version: %w", err)
+	}
+
+	// Don't allow removing the current version
+	if version == currentVersion {
+		return fmt.Errorf("cannot remove the current version '%s'; promote another version first", version)
+	}
+
+	// Remove the version directory
+	if err := cli.fs.RemoveAll(versionDir); err != nil {
+		return fmt.Errorf("failed to remove version: %w", err)
+	}
+
+	cmd.Printf("Removed version %s of secret '%s'\n", version, secretName)
+
+	return nil
+}

internal/secret/crypto.go

@@ -54,7 +54,7 @@ func EncryptToRecipient(data *memguard.LockedBuffer, recipient age.Recipient) ([
 }
 
 // DecryptWithIdentity decrypts data with an identity using age
-func DecryptWithIdentity(data []byte, identity age.Identity) ([]byte, error) {
+func DecryptWithIdentity(data []byte, identity age.Identity) (*memguard.LockedBuffer, error) {
 	r, err := age.Decrypt(bytes.NewReader(data), identity)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create decryptor: %w", err)
@@ -65,40 +65,40 @@ func DecryptWithIdentity(data []byte, identity age.Identity) ([]byte, error) {
 		return nil, fmt.Errorf("failed to read decrypted data: %w", err)
 	}
 
-	return result, nil
+	// Create a secure buffer for the decrypted data
+	resultBuffer := memguard.NewBufferFromBytes(result)
+
+	return resultBuffer, nil
 }
 
 // EncryptWithPassphrase encrypts data using a passphrase with age's scrypt-based encryption
-// The passphrase parameter should be a LockedBuffer for secure memory handling
-func EncryptWithPassphrase(data []byte, passphrase *memguard.LockedBuffer) ([]byte, error) {
+// Both data and passphrase parameters should be LockedBuffers for secure memory handling
+func EncryptWithPassphrase(data *memguard.LockedBuffer, passphrase *memguard.LockedBuffer) ([]byte, error) {
+	if data == nil {
+		return nil, fmt.Errorf("data buffer is nil")
+	}
 	if passphrase == nil {
 		return nil, fmt.Errorf("passphrase buffer is nil")
 	}
 
-	// Get the passphrase string temporarily
-	passphraseStr := passphrase.String()
-	recipient, err := age.NewScryptRecipient(passphraseStr)
+	// Create recipient directly from passphrase - unavoidable string conversion due to age API
+	recipient, err := age.NewScryptRecipient(passphrase.String())
 	if err != nil {
 		return nil, fmt.Errorf("failed to create scrypt recipient: %w", err)
 	}
 
-	// Create a secure buffer for the data
-	dataBuffer := memguard.NewBufferFromBytes(data)
-	defer dataBuffer.Destroy()
-
-	return EncryptToRecipient(dataBuffer, recipient)
+	return EncryptToRecipient(data, recipient)
 }
 
 // DecryptWithPassphrase decrypts data using a passphrase with age's scrypt-based decryption
 // The passphrase parameter should be a LockedBuffer for secure memory handling
-func DecryptWithPassphrase(encryptedData []byte, passphrase *memguard.LockedBuffer) ([]byte, error) {
+func DecryptWithPassphrase(encryptedData []byte, passphrase *memguard.LockedBuffer) (*memguard.LockedBuffer, error) {
 	if passphrase == nil {
 		return nil, fmt.Errorf("passphrase buffer is nil")
 	}
 
-	// Get the passphrase string temporarily
-	passphraseStr := passphrase.String()
-	identity, err := age.NewScryptIdentity(passphraseStr)
+	// Create identity directly from passphrase - unavoidable string conversion due to age API
+	identity, err := age.NewScryptIdentity(passphrase.String())
 	if err != nil {
 		return nil, fmt.Errorf("failed to create scrypt identity: %w", err)
 	}

internal/secret/keychainunlocker.go

@@ -1,3 +1,6 @@
+//go:build darwin
+// +build darwin
+
 package secret
 
 import (
@@ -6,19 +9,22 @@ import (
 	"fmt"
 	"log/slog"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"regexp"
+	"runtime"
 	"time"
 
 	"filippo.io/age"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
+	keychain "github.com/keybase/go-keychain"
 	"github.com/spf13/afero"
 )
 
 const (
 	agePrivKeyPassphraseLength = 64
+	// KEYCHAIN_APP_IDENTIFIER is the service name used for keychain items
+	KEYCHAIN_APP_IDENTIFIER = "berlin.sneak.app.secret" //nolint:revive // ALL_CAPS is intentional for this constant
 )
 
 // keychainItemNameRegex validates keychain item names
@@ -107,30 +113,22 @@ func (k *KeychainUnlocker) GetIdentity() (*age.X25519Identity, error) {
 	passphraseBuffer := memguard.NewBufferFromBytes([]byte(keychainData.AgePrivKeyPassphrase))
 	defer passphraseBuffer.Destroy()
 
-	agePrivKeyData, err := DecryptWithPassphrase(encryptedAgePrivKeyData, passphraseBuffer)
+	agePrivKeyBuffer, err := DecryptWithPassphrase(encryptedAgePrivKeyData, passphraseBuffer)
 	if err != nil {
 		Debug("Failed to decrypt age private key with keychain passphrase", "error", err, "unlocker_id", k.GetID())
 
 		return nil, fmt.Errorf("failed to decrypt age private key with keychain passphrase: %w", err)
 	}
+	defer agePrivKeyBuffer.Destroy()
 
 	DebugWith("Successfully decrypted age private key with keychain passphrase",
 		slog.String("unlocker_id", k.GetID()),
-		slog.Int("decrypted_length", len(agePrivKeyData)),
+		slog.Int("decrypted_length", agePrivKeyBuffer.Size()),
 	)
 
 	// Step 6: Parse the decrypted age private key
 	Debug("Parsing decrypted age private key", "unlocker_id", k.GetID())
 
-	// Create a secure buffer for the private key data
-	agePrivKeyBuffer := memguard.NewBufferFromBytes(agePrivKeyData)
-	defer agePrivKeyBuffer.Destroy()
-
-	// Clear the original private key data
-	for i := range agePrivKeyData {
-		agePrivKeyData[i] = 0
-	}
-
 	ageIdentity, err := age.ParseX25519Identity(agePrivKeyBuffer.String())
 	if err != nil {
 		Debug("Failed to parse age private key", "error", err, "unlocker_id", k.GetID())
@@ -301,13 +299,13 @@ func getLongTermPrivateKey(fs afero.Fs, vault VaultInterface) (*memguard.LockedB
 	}
 
 	// Decrypt long-term private key using current unlocker
-	ltPrivKeyData, err := DecryptWithIdentity(encryptedLtPrivKey, currentUnlockerIdentity)
+	ltPrivKeyBuffer, err := DecryptWithIdentity(encryptedLtPrivKey, currentUnlockerIdentity)
 	if err != nil {
 		return nil, fmt.Errorf("failed to decrypt long-term private key: %w", err)
 	}
 
-	// Return the decrypted key in a secure buffer
-	return memguard.NewBufferFromBytes(ltPrivKeyData), nil
+	// Return the decrypted key buffer
+	return ltPrivKeyBuffer, nil
 }
 
 // CreateKeychainUnlocker creates a new keychain unlocker and stores it in the vault
@@ -368,7 +366,7 @@ func CreateKeychainUnlocker(fs afero.Fs, stateDir string) (*KeychainUnlocker, er
 	passphraseBuffer := memguard.NewBufferFromBytes([]byte(agePrivKeyPassphrase))
 	defer passphraseBuffer.Destroy()
 
-	encryptedAgePrivKey, err := EncryptWithPassphrase(agePrivKeyBuffer.Bytes(), passphraseBuffer)
+	encryptedAgePrivKey, err := EncryptWithPassphrase(agePrivKeyBuffer, passphraseBuffer)
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt age private key with passphrase: %w", err)
 	}
@@ -409,8 +407,12 @@ func CreateKeychainUnlocker(fs afero.Fs, stateDir string) (*KeychainUnlocker, er
 		return nil, fmt.Errorf("failed to marshal keychain data: %w", err)
 	}
 
+	// Create a secure buffer for keychain data
+	keychainDataBuffer := memguard.NewBufferFromBytes(keychainDataBytes)
+	defer keychainDataBuffer.Destroy()
+
 	// Step 8: Store data in keychain
-	if err := storeInKeychain(keychainItemName, keychainDataBytes); err != nil {
+	if err := storeInKeychain(keychainItemName, keychainDataBuffer); err != nil {
 		return nil, fmt.Errorf("failed to store data in keychain: %w", err)
 	}
 
@@ -442,11 +444,10 @@ func CreateKeychainUnlocker(fs afero.Fs, stateDir string) (*KeychainUnlocker, er
 	}, nil
 }
 
-// checkMacOSAvailable verifies that we're running on macOS and security command is available
+// checkMacOSAvailable verifies that we're running on macOS
 func checkMacOSAvailable() error {
-	cmd := exec.Command("/usr/bin/security", "help")
-	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("macOS security command not available: %w (keychain unlockers are only supported on macOS)", err)
+	if runtime.GOOS != "darwin" {
+		return fmt.Errorf("keychain unlockers are only supported on macOS, current OS: %s", runtime.GOOS)
 	}
 
 	return nil
@@ -465,59 +466,78 @@ func validateKeychainItemName(itemName string) error {
 	return nil
 }
 
-// storeInKeychain stores data in the macOS keychain using the security command
-func storeInKeychain(itemName string, data []byte) error {
+// storeInKeychain stores data in the macOS keychain using keybase/go-keychain
+func storeInKeychain(itemName string, data *memguard.LockedBuffer) error {
+	if data == nil {
+		return fmt.Errorf("data buffer is nil")
+	}
 	if err := validateKeychainItemName(itemName); err != nil {
 		return fmt.Errorf("invalid keychain item name: %w", err)
 	}
-	cmd := exec.Command("/usr/bin/security", "add-generic-password", //nolint:gosec
-		"-a", itemName,
-		"-s", itemName,
-		"-w", string(data),
-		"-U") // Update if exists
 
-	if err := cmd.Run(); err != nil {
+	item := keychain.NewItem()
+	item.SetSecClass(keychain.SecClassGenericPassword)
+	item.SetService(KEYCHAIN_APP_IDENTIFIER)
+	item.SetAccount(itemName)
+	item.SetLabel(fmt.Sprintf("%s - %s", KEYCHAIN_APP_IDENTIFIER, itemName))
+	item.SetDescription("Secret vault keychain data")
+	item.SetData([]byte(data.String()))
+	item.SetSynchronizable(keychain.SynchronizableNo)
+	// Use AccessibleWhenUnlockedThisDeviceOnly for better security and to trigger auth
+	item.SetAccessible(keychain.AccessibleWhenUnlockedThisDeviceOnly)
+
+	// First try to delete any existing item
+	deleteItem := keychain.NewItem()
+	deleteItem.SetSecClass(keychain.SecClassGenericPassword)
+	deleteItem.SetService(KEYCHAIN_APP_IDENTIFIER)
+	deleteItem.SetAccount(itemName)
+	_ = keychain.DeleteItem(deleteItem) // Ignore error as item might not exist
+
+	// Add the new item
+	if err := keychain.AddItem(item); err != nil {
 		return fmt.Errorf("failed to store item in keychain: %w", err)
 	}
 
 	return nil
 }
 
-// retrieveFromKeychain retrieves data from the macOS keychain using the security command
+// retrieveFromKeychain retrieves data from the macOS keychain using keybase/go-keychain
 func retrieveFromKeychain(itemName string) ([]byte, error) {
 	if err := validateKeychainItemName(itemName); err != nil {
 		return nil, fmt.Errorf("invalid keychain item name: %w", err)
 	}
 
-	cmd := exec.Command("/usr/bin/security", "find-generic-password", //nolint:gosec
-		"-a", itemName,
-		"-s", itemName,
-		"-w") // Return password only
+	query := keychain.NewItem()
+	query.SetSecClass(keychain.SecClassGenericPassword)
+	query.SetService(KEYCHAIN_APP_IDENTIFIER)
+	query.SetAccount(itemName)
+	query.SetMatchLimit(keychain.MatchLimitOne)
+	query.SetReturnData(true)
 
-	output, err := cmd.Output()
+	results, err := keychain.QueryItem(query)
 	if err != nil {
 		return nil, fmt.Errorf("failed to retrieve item from keychain: %w", err)
 	}
 
-	// Remove trailing newline if present
-	if len(output) > 0 && output[len(output)-1] == '\n' {
-		output = output[:len(output)-1]
+	if len(results) == 0 {
+		return nil, fmt.Errorf("keychain item not found: %s", itemName)
 	}
 
-	return output, nil
+	return results[0].Data, nil
 }
 
-// deleteFromKeychain removes an item from the macOS keychain using the security command
+// deleteFromKeychain removes an item from the macOS keychain using keybase/go-keychain
 func deleteFromKeychain(itemName string) error {
 	if err := validateKeychainItemName(itemName); err != nil {
 		return fmt.Errorf("invalid keychain item name: %w", err)
 	}
 
-	cmd := exec.Command("/usr/bin/security", "delete-generic-password", //nolint:gosec
-		"-a", itemName,
-		"-s", itemName)
+	item := keychain.NewItem()
+	item.SetSecClass(keychain.SecClassGenericPassword)
+	item.SetService(KEYCHAIN_APP_IDENTIFIER)
+	item.SetAccount(itemName)
 
-	if err := cmd.Run(); err != nil {
+	if err := keychain.DeleteItem(item); err != nil {
 		return fmt.Errorf("failed to delete item from keychain: %w", err)
 	}
 

internal/secret/keychainunlocker_stub.go

@@ -0,0 +1,69 @@
+//go:build !darwin
+// +build !darwin
+
+package secret
+
+import (
+	"fmt"
+
+	"filippo.io/age"
+	"github.com/spf13/afero"
+)
+
+// KeychainUnlockerMetadata is a stub for non-Darwin platforms
+type KeychainUnlockerMetadata struct {
+	UnlockerMetadata
+	KeychainItemName string `json:"keychainItemName"`
+}
+
+// KeychainUnlocker is a stub for non-Darwin platforms
+type KeychainUnlocker struct {
+	Directory string
+	Metadata  UnlockerMetadata
+	fs        afero.Fs
+}
+
+// GetIdentity panics on non-Darwin platforms
+func (k *KeychainUnlocker) GetIdentity() (*age.X25519Identity, error) {
+	panic("keychain unlockers are only supported on macOS")
+}
+
+// GetType panics on non-Darwin platforms
+func (k *KeychainUnlocker) GetType() string {
+	panic("keychain unlockers are only supported on macOS")
+}
+
+// GetMetadata panics on non-Darwin platforms
+func (k *KeychainUnlocker) GetMetadata() UnlockerMetadata {
+	panic("keychain unlockers are only supported on macOS")
+}
+
+// GetDirectory panics on non-Darwin platforms
+func (k *KeychainUnlocker) GetDirectory() string {
+	panic("keychain unlockers are only supported on macOS")
+}
+
+// GetID returns the unlocker ID
+func (k *KeychainUnlocker) GetID() string {
+	panic("keychain unlockers are only supported on macOS")
+}
+
+// GetKeychainItemName panics on non-Darwin platforms
+func (k *KeychainUnlocker) GetKeychainItemName() (string, error) {
+	panic("keychain unlockers are only supported on macOS")
+}
+
+// Remove panics on non-Darwin platforms
+func (k *KeychainUnlocker) Remove() error {
+	panic("keychain unlockers are only supported on macOS")
+}
+
+// NewKeychainUnlocker panics on non-Darwin platforms
+func NewKeychainUnlocker(fs afero.Fs, directory string, metadata UnlockerMetadata) *KeychainUnlocker {
+	panic("keychain unlockers are only supported on macOS")
+}
+
+// CreateKeychainUnlocker panics on non-Darwin platforms
+func CreateKeychainUnlocker(fs afero.Fs, stateDir string) (*KeychainUnlocker, error) {
+	panic("keychain unlockers are only supported on macOS")
+}

internal/secret/keychainunlocker_test.go

@@ -0,0 +1,167 @@
+//go:build darwin
+// +build darwin
+
+package secret
+
+import (
+	"encoding/hex"
+	"runtime"
+	"testing"
+
+	"github.com/awnumar/memguard"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestKeychainStoreRetrieveDelete(t *testing.T) {
+	// Skip test if not on macOS
+	if runtime.GOOS != "darwin" {
+		t.Skip("Keychain tests only run on macOS")
+	}
+
+	// Test data
+	testItemName := "test-secret-keychain-item"
+	testData := "test-secret-data-12345"
+	testBuffer := memguard.NewBufferFromBytes([]byte(testData))
+	defer testBuffer.Destroy()
+
+	// Clean up any existing item first
+	_ = deleteFromKeychain(testItemName)
+
+	// Test 1: Store data in keychain
+	err := storeInKeychain(testItemName, testBuffer)
+	require.NoError(t, err, "Failed to store data in keychain")
+
+	// Test 2: Retrieve data from keychain
+	retrievedData, err := retrieveFromKeychain(testItemName)
+	require.NoError(t, err, "Failed to retrieve data from keychain")
+	assert.Equal(t, testData, string(retrievedData), "Retrieved data doesn't match stored data")
+
+	// Test 3: Update existing item (store again with different data)
+	newTestData := "updated-test-data-67890"
+	newTestBuffer := memguard.NewBufferFromBytes([]byte(newTestData))
+	defer newTestBuffer.Destroy()
+
+	err = storeInKeychain(testItemName, newTestBuffer)
+	require.NoError(t, err, "Failed to update data in keychain")
+
+	// Verify updated data
+	retrievedData, err = retrieveFromKeychain(testItemName)
+	require.NoError(t, err, "Failed to retrieve updated data from keychain")
+	assert.Equal(t, newTestData, string(retrievedData), "Retrieved data doesn't match updated data")
+
+	// Test 4: Delete from keychain
+	err = deleteFromKeychain(testItemName)
+	require.NoError(t, err, "Failed to delete data from keychain")
+
+	// Test 5: Verify item is deleted (should fail to retrieve)
+	_, err = retrieveFromKeychain(testItemName)
+	assert.Error(t, err, "Expected error when retrieving deleted item")
+}
+
+func TestKeychainInvalidItemName(t *testing.T) {
+	// Skip test if not on macOS
+	if runtime.GOOS != "darwin" {
+		t.Skip("Keychain tests only run on macOS")
+	}
+
+	testData := memguard.NewBufferFromBytes([]byte("test"))
+	defer testData.Destroy()
+
+	// Test invalid item names
+	invalidNames := []string{
+		"",                  // Empty name
+		"test space",        // Contains space
+		"test/slash",        // Contains slash
+		"test\\backslash",   // Contains backslash
+		"test:colon",        // Contains colon
+		"test;semicolon",    // Contains semicolon
+		"test|pipe",         // Contains pipe
+		"test@at",           // Contains @
+		"test#hash",         // Contains #
+		"test$dollar",       // Contains $
+		"test&ampersand",    // Contains &
+		"test*asterisk",     // Contains *
+		"test?question",     // Contains ?
+		"test!exclamation",  // Contains !
+		"test'quote",        // Contains single quote
+		"test\"doublequote", // Contains double quote
+		"test(paren",        // Contains parenthesis
+		"test[bracket",      // Contains bracket
+	}
+
+	for _, name := range invalidNames {
+		err := storeInKeychain(name, testData)
+		assert.Error(t, err, "Expected error for invalid name: %s", name)
+		assert.Contains(t, err.Error(), "invalid keychain item name", "Error should mention invalid name for: %s", name)
+	}
+
+	// Test valid names (should not error on validation)
+	validNames := []string{
+		"test-name",
+		"test_name",
+		"test.name",
+		"TestName123",
+		"TEST_NAME_123",
+		"com.example.test",
+		"secret-vault-hostname-2024-01-01",
+	}
+
+	for _, name := range validNames {
+		err := validateKeychainItemName(name)
+		assert.NoError(t, err, "Expected no error for valid name: %s", name)
+		// Clean up
+		_ = deleteFromKeychain(name)
+	}
+}
+
+func TestKeychainNilData(t *testing.T) {
+	// Skip test if not on macOS
+	if runtime.GOOS != "darwin" {
+		t.Skip("Keychain tests only run on macOS")
+	}
+
+	// Test storing nil data
+	err := storeInKeychain("test-item", nil)
+	assert.Error(t, err, "Expected error when storing nil data")
+	assert.Contains(t, err.Error(), "data buffer is nil")
+}
+
+func TestKeychainLargeData(t *testing.T) {
+	// Skip test if not on macOS
+	if runtime.GOOS != "darwin" {
+		t.Skip("Keychain tests only run on macOS")
+	}
+
+	// Test with larger hex-encoded data (512 bytes of binary data = 1KB hex)
+	largeData := make([]byte, 512)
+	for i := range largeData {
+		largeData[i] = byte(i % 256)
+	}
+
+	// Convert to hex string for storage
+	hexData := hex.EncodeToString(largeData)
+
+	testItemName := "test-large-data"
+	testBuffer := memguard.NewBufferFromBytes([]byte(hexData))
+	defer testBuffer.Destroy()
+
+	// Clean up first
+	_ = deleteFromKeychain(testItemName)
+
+	// Store hex data
+	err := storeInKeychain(testItemName, testBuffer)
+	require.NoError(t, err, "Failed to store large data")
+
+	// Retrieve and verify
+	retrievedData, err := retrieveFromKeychain(testItemName)
+	require.NoError(t, err, "Failed to retrieve large data")
+
+	// Decode hex and compare
+	decodedData, err := hex.DecodeString(string(retrievedData))
+	require.NoError(t, err, "Failed to decode hex data")
+	assert.Equal(t, largeData, decodedData, "Large data mismatch")
+
+	// Clean up
+	_ = deleteFromKeychain(testItemName)
+}

internal/secret/passphrase_test.go

@@ -76,10 +76,11 @@ func TestPassphraseUnlockerWithRealFS(t *testing.T) {
 
 	// Test encrypting private key with passphrase
 	t.Run("EncryptPrivateKey", func(t *testing.T) {
-		privKeyData := []byte(agePrivateKey)
+		privKeyBuffer := memguard.NewBufferFromBytes([]byte(agePrivateKey))
+		defer privKeyBuffer.Destroy()
 		passphraseBuffer := memguard.NewBufferFromBytes([]byte(testPassphrase))
 		defer passphraseBuffer.Destroy()
-		encryptedPrivKey, err := secret.EncryptWithPassphrase(privKeyData, passphraseBuffer)
+		encryptedPrivKey, err := secret.EncryptWithPassphrase(privKeyBuffer, passphraseBuffer)
 		if err != nil {
 			t.Fatalf("Failed to encrypt private key: %v", err)
 		}

internal/secret/passphraseunlocker.go

@@ -84,30 +84,22 @@ func (p *PassphraseUnlocker) GetIdentity() (*age.X25519Identity, error) {
 	Debug("Decrypting unlocker private key with passphrase", "unlocker_id", p.GetID())
 
 	// Decrypt the unlocker private key with passphrase
-	privKeyData, err := DecryptWithPassphrase(encryptedPrivKeyData, passphraseBuffer)
+	privKeyBuffer, err := DecryptWithPassphrase(encryptedPrivKeyData, passphraseBuffer)
 	if err != nil {
 		Debug("Failed to decrypt unlocker private key", "error", err, "unlocker_id", p.GetID())
 
 		return nil, fmt.Errorf("failed to decrypt unlocker private key: %w", err)
 	}
+	defer privKeyBuffer.Destroy()
 
 	DebugWith("Successfully decrypted unlocker private key",
 		slog.String("unlocker_id", p.GetID()),
-		slog.Int("decrypted_length", len(privKeyData)),
+		slog.Int("decrypted_length", privKeyBuffer.Size()),
 	)
 
 	// Parse the decrypted private key
 	Debug("Parsing decrypted unlocker identity", "unlocker_id", p.GetID())
 
-	// Create a secure buffer for the private key data
-	privKeyBuffer := memguard.NewBufferFromBytes(privKeyData)
-	defer privKeyBuffer.Destroy()
-
-	// Clear the original private key data
-	for i := range privKeyData {
-		privKeyData[i] = 0
-	}
-
 	identity, err := age.ParseX25519Identity(privKeyBuffer.String())
 	if err != nil {
 		Debug("Failed to parse unlocker private key", "error", err, "unlocker_id", p.GetID())

internal/secret/pgpunlock_test.go

@@ -45,7 +45,10 @@ pinentry-mode loopback
 	origDecryptFunc := secret.GPGDecryptFunc
 
 	// Set custom GPG functions for this test
-	secret.GPGEncryptFunc = func(data []byte, keyID string) ([]byte, error) {
+	secret.GPGEncryptFunc = func(data *memguard.LockedBuffer, keyID string) ([]byte, error) {
+		if data == nil {
+			return nil, fmt.Errorf("data buffer is nil")
+		}
 		cmd := exec.Command("gpg",
 			"--homedir", gnupgHomeDir,
 			"--batch",
@@ -60,7 +63,7 @@ pinentry-mode loopback
 		var stdout, stderr bytes.Buffer
 		cmd.Stdout = &stdout
 		cmd.Stderr = &stderr
-		cmd.Stdin = bytes.NewReader(data)
+		cmd.Stdin = bytes.NewReader(data.Bytes())
 
 		if err := cmd.Run(); err != nil {
 			return nil, fmt.Errorf("GPG encryption failed: %w\nStderr: %s", err, stderr.String())
@@ -69,7 +72,7 @@ pinentry-mode loopback
 		return stdout.Bytes(), nil
 	}
 
-	secret.GPGDecryptFunc = func(encryptedData []byte) ([]byte, error) {
+	secret.GPGDecryptFunc = func(encryptedData []byte) (*memguard.LockedBuffer, error) {
 		cmd := exec.Command("gpg",
 			"--homedir", gnupgHomeDir,
 			"--batch",
@@ -88,7 +91,8 @@ pinentry-mode loopback
 			return nil, fmt.Errorf("GPG decryption failed: %w\nStderr: %s", err, stderr.String())
 		}
 
-		return stdout.Bytes(), nil
+		// Create a secure buffer for the decrypted data
+		return memguard.NewBufferFromBytes(stdout.Bytes()), nil
 	}
 
 	// Restore original functions after test
@@ -444,8 +448,9 @@ Passphrase: ` + testPassphrase + `
 		}
 
 		// GPG encrypt the private key using our custom encrypt function
-		privKeyData := []byte(ageIdentity.String())
-		encryptedOutput, err := secret.GPGEncryptFunc(privKeyData, keyID)
+		privKeyBuffer := memguard.NewBufferFromBytes([]byte(ageIdentity.String()))
+		defer privKeyBuffer.Destroy()
+		encryptedOutput, err := secret.GPGEncryptFunc(privKeyBuffer, keyID)
 		if err != nil {
 			t.Fatalf("Failed to encrypt with GPG: %v", err)
 		}

internal/secret/pgpunlocker.go

@@ -20,11 +20,13 @@ import (
 var (
 	// GPGEncryptFunc is the function used for GPG encryption
 	// Can be overridden in tests to provide a non-interactive implementation
-	GPGEncryptFunc = gpgEncryptDefault //nolint:gochecknoglobals // Required for test mocking
+	//nolint:gochecknoglobals // Required for test mocking
+	GPGEncryptFunc func(data *memguard.LockedBuffer, keyID string) ([]byte, error) = gpgEncryptDefault
 
 	// GPGDecryptFunc is the function used for GPG decryption
 	// Can be overridden in tests to provide a non-interactive implementation
-	GPGDecryptFunc = gpgDecryptDefault //nolint:gochecknoglobals // Required for test mocking
+	//nolint:gochecknoglobals // Required for test mocking
+	GPGDecryptFunc func(encryptedData []byte) (*memguard.LockedBuffer, error) = gpgDecryptDefault
 
 	// gpgKeyIDRegex validates GPG key IDs
 	// Allows either:
@@ -79,21 +81,22 @@ func (p *PGPUnlocker) GetIdentity() (*age.X25519Identity, error) {
 
 	// Step 2: Decrypt the age private key using GPG
 	Debug("Decrypting age private key with GPG", "unlocker_id", p.GetID())
-	agePrivKeyData, err := GPGDecryptFunc(encryptedAgePrivKeyData)
+	agePrivKeyBuffer, err := GPGDecryptFunc(encryptedAgePrivKeyData)
 	if err != nil {
 		Debug("Failed to decrypt age private key with GPG", "error", err, "unlocker_id", p.GetID())
 
 		return nil, fmt.Errorf("failed to decrypt age private key with GPG: %w", err)
 	}
+	defer agePrivKeyBuffer.Destroy()
 
 	DebugWith("Successfully decrypted age private key with GPG",
 		slog.String("unlocker_id", p.GetID()),
-		slog.Int("decrypted_length", len(agePrivKeyData)),
+		slog.Int("decrypted_length", agePrivKeyBuffer.Size()),
 	)
 
 	// Step 3: Parse the decrypted age private key
 	Debug("Parsing decrypted age private key", "unlocker_id", p.GetID())
-	ageIdentity, err := age.ParseX25519Identity(string(agePrivKeyData))
+	ageIdentity, err := age.ParseX25519Identity(agePrivKeyBuffer.String())
 	if err != nil {
 		Debug("Failed to parse age private key", "error", err, "unlocker_id", p.GetID())
 
@@ -125,7 +128,7 @@ func (p *PGPUnlocker) GetDirectory() string {
 
 // GetID implements Unlocker interface - generates ID from GPG key ID
 func (p *PGPUnlocker) GetID() string {
-	// Generate ID using GPG key ID: <keyid>-pgp
+	// Generate ID using GPG key ID: pgp-<keyid>
 	gpgKeyID, err := p.GetGPGKeyID()
 	if err != nil {
 		// The vault metadata is corrupt - this is a fatal error
@@ -133,7 +136,7 @@ func (p *PGPUnlocker) GetID() string {
 		panic(fmt.Sprintf("PGP unlocker metadata is corrupt or missing GPG key ID: %v", err))
 	}
 
-	return fmt.Sprintf("%s-pgp", gpgKeyID)
+	return fmt.Sprintf("pgp-%s", gpgKeyID)
 }
 
 // Remove implements Unlocker interface - removes the PGP unlocker
@@ -253,7 +256,7 @@ func CreatePGPUnlocker(fs afero.Fs, stateDir string, gpgKeyID string) (*PGPUnloc
 	agePrivateKeyBuffer := memguard.NewBufferFromBytes([]byte(ageIdentity.String()))
 	defer agePrivateKeyBuffer.Destroy()
 
-	encryptedAgePrivKey, err := GPGEncryptFunc(agePrivateKeyBuffer.Bytes(), gpgKeyID)
+	encryptedAgePrivKey, err := GPGEncryptFunc(agePrivateKeyBuffer, gpgKeyID)
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt age private key with GPG: %w", err)
 	}
@@ -264,7 +267,7 @@ func CreatePGPUnlocker(fs afero.Fs, stateDir string, gpgKeyID string) (*PGPUnloc
 	}
 
 	// Step 9: Resolve the GPG key ID to its full fingerprint
-	fingerprint, err := resolveGPGKeyFingerprint(gpgKeyID)
+	fingerprint, err := ResolveGPGKeyFingerprint(gpgKeyID)
 	if err != nil {
 		return nil, fmt.Errorf("failed to resolve GPG key fingerprint: %w", err)
 	}
@@ -310,8 +313,8 @@ func validateGPGKeyID(keyID string) error {
 	return nil
 }
 
-// resolveGPGKeyFingerprint resolves any GPG key identifier to its full fingerprint
-func resolveGPGKeyFingerprint(keyID string) (string, error) {
+// ResolveGPGKeyFingerprint resolves any GPG key identifier to its full fingerprint
+func ResolveGPGKeyFingerprint(keyID string) (string, error) {
 	if err := validateGPGKeyID(keyID); err != nil {
 		return "", fmt.Errorf("invalid GPG key ID: %w", err)
 	}
@@ -348,13 +351,16 @@ func checkGPGAvailable() error {
 }
 
 // gpgEncryptDefault is the default implementation of GPG encryption
-func gpgEncryptDefault(data []byte, keyID string) ([]byte, error) {
+func gpgEncryptDefault(data *memguard.LockedBuffer, keyID string) ([]byte, error) {
+	if data == nil {
+		return nil, fmt.Errorf("data buffer is nil")
+	}
 	if err := validateGPGKeyID(keyID); err != nil {
 		return nil, fmt.Errorf("invalid GPG key ID: %w", err)
 	}
 
 	cmd := exec.Command("gpg", "--trust-model", "always", "--armor", "--encrypt", "-r", keyID)
-	cmd.Stdin = strings.NewReader(string(data))
+	cmd.Stdin = strings.NewReader(data.String())
 
 	output, err := cmd.Output()
 	if err != nil {
@@ -365,7 +371,7 @@ func gpgEncryptDefault(data []byte, keyID string) ([]byte, error) {
 }
 
 // gpgDecryptDefault is the default implementation of GPG decryption
-func gpgDecryptDefault(encryptedData []byte) ([]byte, error) {
+func gpgDecryptDefault(encryptedData []byte) (*memguard.LockedBuffer, error) {
 	cmd := exec.Command("gpg", "--quiet", "--decrypt")
 	cmd.Stdin = strings.NewReader(string(encryptedData))
 
@@ -374,5 +380,8 @@ func gpgDecryptDefault(encryptedData []byte) ([]byte, error) {
 		return nil, fmt.Errorf("GPG decryption failed: %w", err)
 	}
 
-	return output, nil
+	// Create a secure buffer for the decrypted data
+	outputBuffer := memguard.NewBufferFromBytes(output)
+
+	return outputBuffer, nil
 }

internal/secret/secret.go

@@ -62,35 +62,8 @@ func NewSecret(vault VaultInterface, name string) *Secret {
 	}
 }
 
-// Save is deprecated - use vault.AddSecret directly which creates versions
-// Kept for backward compatibility
-func (s *Secret) Save(value []byte, force bool) error {
-	DebugWith("Saving secret (deprecated method)",
-		slog.String("secret_name", s.Name),
-		slog.String("vault_name", s.vault.GetName()),
-		slog.Int("value_length", len(value)),
-		slog.Bool("force", force),
-	)
-
-	// Create a secure buffer for the value - note that the caller
-	// should ideally pass a LockedBuffer directly to vault.AddSecret
-	valueBuffer := memguard.NewBufferFromBytes(value)
-	defer valueBuffer.Destroy()
-
-	err := s.vault.AddSecret(s.Name, valueBuffer, force)
-	if err != nil {
-		Debug("Failed to save secret", "error", err, "secret_name", s.Name)
-
-		return err
-	}
-
-	Debug("Successfully saved secret", "secret_name", s.Name)
-
-	return nil
-}
-
 // GetValue retrieves and decrypts the current version's value using the provided unlocker
-func (s *Secret) GetValue(unlocker Unlocker) ([]byte, error) {
+func (s *Secret) GetValue(unlocker Unlocker) (*memguard.LockedBuffer, error) {
 	DebugWith("Getting secret value",
 		slog.String("secret_name", s.Name),
 		slog.String("vault_name", s.vault.GetName()),
@@ -206,16 +179,17 @@ func (s *Secret) GetValue(unlocker Unlocker) ([]byte, error) {
 
 	// Decrypt the encrypted long-term private key using the unlocker
 	Debug("Decrypting long-term private key using unlocker", "secret_name", s.Name)
-	ltPrivKeyData, err := DecryptWithIdentity(encryptedLtPrivKey, unlockIdentity)
+	ltPrivKeyBuffer, err := DecryptWithIdentity(encryptedLtPrivKey, unlockIdentity)
 	if err != nil {
 		Debug("Failed to decrypt long-term private key", "error", err, "secret_name", s.Name)
 
 		return nil, fmt.Errorf("failed to decrypt long-term private key: %w", err)
 	}
+	defer ltPrivKeyBuffer.Destroy()
 
 	// Parse the long-term private key
 	Debug("Parsing long-term private key", "secret_name", s.Name)
-	ltIdentity, err := age.ParseX25519Identity(string(ltPrivKeyData))
+	ltIdentity, err := age.ParseX25519Identity(ltPrivKeyBuffer.String())
 	if err != nil {
 		Debug("Failed to parse long-term private key", "error", err, "secret_name", s.Name)
 

internal/secret/version.go

@@ -277,15 +277,16 @@ func (sv *Version) LoadMetadata(ltIdentity *age.X25519Identity) error {
 	}
 
 	// Step 2: Decrypt version private key using long-term key
-	versionPrivKeyData, err := DecryptWithIdentity(encryptedPrivKey, ltIdentity)
+	versionPrivKeyBuffer, err := DecryptWithIdentity(encryptedPrivKey, ltIdentity)
 	if err != nil {
 		Debug("Failed to decrypt version private key", "error", err, "version", sv.Version)
 
 		return fmt.Errorf("failed to decrypt version private key: %w", err)
 	}
+	defer versionPrivKeyBuffer.Destroy()
 
 	// Step 3: Parse version private key
-	versionIdentity, err := age.ParseX25519Identity(string(versionPrivKeyData))
+	versionIdentity, err := age.ParseX25519Identity(versionPrivKeyBuffer.String())
 	if err != nil {
 		Debug("Failed to parse version private key", "error", err, "version", sv.Version)
 
@@ -302,16 +303,17 @@ func (sv *Version) LoadMetadata(ltIdentity *age.X25519Identity) error {
 	}
 
 	// Step 5: Decrypt metadata using version key
-	metadataBytes, err := DecryptWithIdentity(encryptedMetadata, versionIdentity)
+	metadataBuffer, err := DecryptWithIdentity(encryptedMetadata, versionIdentity)
 	if err != nil {
 		Debug("Failed to decrypt version metadata", "error", err, "version", sv.Version)
 
 		return fmt.Errorf("failed to decrypt version metadata: %w", err)
 	}
+	defer metadataBuffer.Destroy()
 
 	// Step 6: Unmarshal metadata
 	var metadata VersionMetadata
-	if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
+	if err := json.Unmarshal(metadataBuffer.Bytes(), &metadata); err != nil {
 		Debug("Failed to unmarshal version metadata", "error", err, "version", sv.Version)
 
 		return fmt.Errorf("failed to unmarshal version metadata: %w", err)
@@ -324,7 +326,7 @@ func (sv *Version) LoadMetadata(ltIdentity *age.X25519Identity) error {
 }
 
 // GetValue retrieves and decrypts the version value
-func (sv *Version) GetValue(ltIdentity *age.X25519Identity) ([]byte, error) {
+func (sv *Version) GetValue(ltIdentity *age.X25519Identity) (*memguard.LockedBuffer, error) {
 	DebugWith("Getting version value",
 		slog.String("secret_name", sv.SecretName),
 		slog.String("version", sv.Version),
@@ -352,16 +354,17 @@ func (sv *Version) GetValue(ltIdentity *age.X25519Identity) ([]byte, error) {
 
 	// Step 2: Decrypt version private key using long-term key
 	Debug("Decrypting version private key with long-term identity", "version", sv.Version)
-	versionPrivKeyData, err := DecryptWithIdentity(encryptedPrivKey, ltIdentity)
+	versionPrivKeyBuffer, err := DecryptWithIdentity(encryptedPrivKey, ltIdentity)
 	if err != nil {
 		Debug("Failed to decrypt version private key", "error", err, "version", sv.Version)
 
 		return nil, fmt.Errorf("failed to decrypt version private key: %w", err)
 	}
-	Debug("Successfully decrypted version private key", "version", sv.Version, "size", len(versionPrivKeyData))
+	defer versionPrivKeyBuffer.Destroy()
+	Debug("Successfully decrypted version private key", "version", sv.Version, "size", versionPrivKeyBuffer.Size())
 
 	// Step 3: Parse version private key
-	versionIdentity, err := age.ParseX25519Identity(string(versionPrivKeyData))
+	versionIdentity, err := age.ParseX25519Identity(versionPrivKeyBuffer.String())
 	if err != nil {
 		Debug("Failed to parse version private key", "error", err, "version", sv.Version)
 
@@ -381,7 +384,7 @@ func (sv *Version) GetValue(ltIdentity *age.X25519Identity) ([]byte, error) {
 
 	// Step 5: Decrypt value using version key
 	Debug("Decrypting value with version identity", "version", sv.Version)
-	value, err := DecryptWithIdentity(encryptedValue, versionIdentity)
+	valueBuffer, err := DecryptWithIdentity(encryptedValue, versionIdentity)
 	if err != nil {
 		Debug("Failed to decrypt version value", "error", err, "version", sv.Version)
 
@@ -390,10 +393,10 @@ func (sv *Version) GetValue(ltIdentity *age.X25519Identity) ([]byte, error) {
 
 	Debug("Successfully retrieved version value",
 		"version", sv.Version,
-		"value_length", len(value),
-		"is_empty", len(value) == 0)
+		"value_length", valueBuffer.Size(),
+		"is_empty", valueBuffer.Size() == 0)
 
-	return value, nil
+	return valueBuffer, nil
 }
 
 // ListVersions lists all versions of a secret

internal/secret/version_test.go

@@ -255,10 +255,11 @@ func TestSecretVersionGetValue(t *testing.T) {
 	require.NoError(t, err)
 
 	// Retrieve the value
-	retrievedValue, err := sv.GetValue(ltIdentity)
+	retrievedBuffer, err := sv.GetValue(ltIdentity)
 	require.NoError(t, err)
+	defer retrievedBuffer.Destroy()
 
-	assert.Equal(t, expectedValue, retrievedValue)
+	assert.Equal(t, expectedValue, retrievedBuffer.Bytes())
 }
 
 func TestListVersions(t *testing.T) {

internal/vault/secrets.go

@@ -259,13 +259,14 @@ func updateVersionMetadata(fs afero.Fs, version *secret.Version, ltIdentity *age
 	}
 
 	// Decrypt version private key using long-term key
-	versionPrivKeyData, err := secret.DecryptWithIdentity(encryptedPrivKey, ltIdentity)
+	versionPrivKeyBuffer, err := secret.DecryptWithIdentity(encryptedPrivKey, ltIdentity)
 	if err != nil {
 		return fmt.Errorf("failed to decrypt version private key: %w", err)
 	}
+	defer versionPrivKeyBuffer.Destroy()
 
 	// Parse version private key
-	versionIdentity, err := age.ParseX25519Identity(string(versionPrivKeyData))
+	versionIdentity, err := age.ParseX25519Identity(versionPrivKeyBuffer.String())
 	if err != nil {
 		return fmt.Errorf("failed to parse version private key: %w", err)
 	}
@@ -393,21 +394,26 @@ func (v *Vault) GetSecretVersion(name string, version string) ([]byte, error) {
 		return nil, fmt.Errorf("failed to decrypt version: %w", err)
 	}
 
+	// Create a copy to return since the buffer will be destroyed
+	result := make([]byte, decryptedValue.Size())
+	copy(result, decryptedValue.Bytes())
+	decryptedValue.Destroy()
+
 	secret.DebugWith("Successfully decrypted secret version",
 		slog.String("secret_name", name),
 		slog.String("version", version),
 		slog.String("vault_name", v.Name),
-		slog.Int("decrypted_length", len(decryptedValue)),
+		slog.Int("decrypted_length", len(result)),
 	)
 
 	// Debug: Log metadata about the decrypted value without exposing the actual secret
 	secret.Debug("Vault secret decryption debug info",
 		"secret_name", name,
 		"version", version,
-		"decrypted_value_length", len(decryptedValue),
-		"is_empty", len(decryptedValue) == 0)
+		"decrypted_value_length", len(result),
+		"is_empty", len(result) == 0)
 
-	return decryptedValue, nil
+	return result, nil
 }
 
 // UnlockVault unlocks the vault and returns the long-term private key

internal/vault/unlockers.go

@@ -346,7 +346,9 @@ func (v *Vault) CreatePassphraseUnlocker(passphrase *memguard.LockedBuffer) (*se
 
 	// Encrypt private key with passphrase
 	privKeyStr := unlockerIdentity.String()
-	encryptedPrivKey, err := secret.EncryptWithPassphrase([]byte(privKeyStr), passphrase)
+	privKeyBuffer := memguard.NewBufferFromBytes([]byte(privKeyStr))
+	defer privKeyBuffer.Destroy()
+	encryptedPrivKey, err := secret.EncryptWithPassphrase(privKeyBuffer, passphrase)
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt unlocker private key: %w", err)
 	}

internal/vault/vault.go

@@ -157,22 +157,23 @@ func (v *Vault) GetOrDeriveLongTermKey() (*age.X25519Identity, error) {
 
 	// Decrypt long-term private key using unlocker
 	secret.Debug("Decrypting long-term private key with unlocker", "unlocker_type", unlocker.GetType())
-	ltPrivKeyData, err := secret.DecryptWithIdentity(encryptedLtPrivKey, unlockerIdentity)
+	ltPrivKeyBuffer, err := secret.DecryptWithIdentity(encryptedLtPrivKey, unlockerIdentity)
 	if err != nil {
 		secret.Debug("Failed to decrypt long-term private key", "error", err, "unlocker_type", unlocker.GetType())
 
 		return nil, fmt.Errorf("failed to decrypt long-term private key: %w", err)
 	}
+	defer ltPrivKeyBuffer.Destroy()
 
 	secret.DebugWith("Successfully decrypted long-term private key",
 		slog.String("vault_name", v.Name),
 		slog.String("unlocker_type", unlocker.GetType()),
-		slog.Int("decrypted_length", len(ltPrivKeyData)),
+		slog.Int("decrypted_length", ltPrivKeyBuffer.Size()),
 	)
 
 	// Parse long-term private key
 	secret.Debug("Parsing long-term private key", "vault_name", v.Name)
-	ltIdentity, err := age.ParseX25519Identity(string(ltPrivKeyData))
+	ltIdentity, err := age.ParseX25519Identity(ltPrivKeyBuffer.String())
 	if err != nil {
 		secret.Debug("Failed to parse long-term private key", "error", err, "vault_name", v.Name)
 
@@ -207,3 +208,48 @@ func (v *Vault) GetName() string {
 func (v *Vault) GetFilesystem() afero.Fs {
 	return v.fs
 }
+
+// NumSecrets returns the number of secrets in the vault
+func (v *Vault) NumSecrets() (int, error) {
+	vaultDir, err := v.GetDirectory()
+	if err != nil {
+		return 0, fmt.Errorf("failed to get vault directory: %w", err)
+	}
+
+	secretsDir := filepath.Join(vaultDir, "secrets.d")
+	exists, _ := afero.DirExists(v.fs, secretsDir)
+	if !exists {
+		return 0, nil
+	}
+
+	entries, err := afero.ReadDir(v.fs, secretsDir)
+	if err != nil {
+		return 0, fmt.Errorf("failed to read secrets directory: %w", err)
+	}
+
+	// Count only directories that contain at least one version file
+	count := 0
+	for _, entry := range entries {
+		if !entry.IsDir() {
+			continue
+		}
+
+		// Check if this secret directory contains any version files
+		secretDir := filepath.Join(secretsDir, entry.Name())
+		versionFiles, err := afero.ReadDir(v.fs, secretDir)
+		if err != nil {
+			continue // Skip directories we can't read
+		}
+
+		// Look for at least one version file (excluding "current" symlink)
+		for _, vFile := range versionFiles {
+			if !vFile.IsDir() && vFile.Name() != "current" {
+				count++
+
+				break // Found at least one version, count this secret
+			}
+		}
+	}
+
+	return count, nil
+}