sneak/secret
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Compare commits

base: sneak:main
Branches Tags
sneak:main sneak:ci/make-check sneak:fix-memory-security
..
compare: sneak:cc53469f904ffac2eea92fbebcaabb51e7c79cea
Branches Tags
sneak:ci/make-check sneak:main sneak:fix-memory-security

3 Commits
main ... cc53469f90

Author SHA1 Message Date
clawbot
cc53469f90 Fix review findings: stub panics, derivation index, tests, README 
- Replace panic() calls in seunlocker_stub.go with error returns,
  following the existing keychainunlocker_stub.go pattern
- Fix hardcoded derivation index 0 in getLongTermKeyForSE: now reads
  vault metadata to use the correct DerivationIndex (matching
  getLongTermPrivateKey in keychainunlocker.go)
- Add tests for SE unlocker exports in secret package (both darwin
  and non-darwin stub tests)
- Update README to reflect SE implementation: remove 'planned' labels,
  update Apple Developer Program references, add secure-enclave to
  unlocker type lists and examples
- Run go fmt on files with import ordering issues
 2026-03-11 06:36:20 -07:00
sneak
9ab960565e Fix nlreturn lint errors in macse CGo bindings 2026-03-11 06:36:20 -07:00
sneak
9d238a03af Add Secure Enclave unlocker for hardware-backed secret protection 
Adds a new "secure-enclave" unlocker type that stores the vault's
long-term private key encrypted by a non-exportable P-256 key held
in the Secure Enclave hardware. Decryption (ECDH) is performed
inside the SE; the key never leaves the hardware.

Uses CryptoTokenKit identities created via sc_auth, which allows
SE access from unsigned binaries without Apple Developer Program
membership. ECIES (X963SHA256 + AES-GCM) handles encryption and
decryption through Security.framework.

New package internal/macse/ provides the CGo bridge to
Security.framework for SE key creation, ECIES encrypt/decrypt,
and key deletion. The SE unlocker directly encrypts the vault
long-term key (no intermediate age keypair).
 2026-03-11 06:36:20 -07:00
2 changed files with 21 additions and 89 deletions
Expand all files Collapse all files

90
internal/secret/seunlocker_darwin.go
View File

@@ -60,10 +60,7 @@ func (s *SecureEnclaveUnlocker) GetIdentity() (*age.X25519Identity, error) {
encryptedPath := filepath.Join(s.Directory, seLongtermFilename)
encryptedData, err := afero.ReadFile(s.fs, encryptedPath)
if err != nil {
return nil, fmt.Errorf(
"failed to read SE-encrypted long-term key: %w",
err,
)
return nil, fmt.Errorf("failed to read SE-encrypted long-term key: %w", err)
}
DebugWith("Read SE-encrypted long-term key",
@@ -73,10 +70,7 @@ func (s *SecureEnclaveUnlocker) GetIdentity() (*age.X25519Identity, error) {
// Decrypt using the Secure Enclave (ECDH happens inside SE hardware)
decryptedData, err := macse.Decrypt(seKeyLabel, encryptedData)
if err != nil {
return nil, fmt.Errorf(
"failed to decrypt long-term key with SE: %w",
err,
)
return nil, fmt.Errorf("failed to decrypt long-term key with SE: %w", err)
}
// Parse the decrypted long-term private key
@@ -88,10 +82,7 @@ func (s *SecureEnclaveUnlocker) GetIdentity() (*age.X25519Identity, error) {
}
if err != nil {
return nil, fmt.Errorf(
"failed to parse long-term private key: %w",
err,
)
return nil, fmt.Errorf("failed to parse long-term private key: %w", err)
}
DebugWith("Successfully decrypted long-term key via SE",
@@ -174,11 +165,7 @@ func (s *SecureEnclaveUnlocker) getSEKeyInfo() (label string, hash string, err e
}
// NewSecureEnclaveUnlocker creates a new SecureEnclaveUnlocker instance.
func NewSecureEnclaveUnlocker(
fs afero.Fs,
directory string,
metadata UnlockerMetadata,
) *SecureEnclaveUnlocker {
func NewSecureEnclaveUnlocker(fs afero.Fs, directory string, metadata UnlockerMetadata) *SecureEnclaveUnlocker {
return &SecureEnclaveUnlocker{
Directory: directory,
Metadata: metadata,
@@ -195,22 +182,13 @@ func generateSEKeyLabel(vaultName string) (string, error) {
enrollmentDate := time.Now().UTC().Format("2006-01-02")
return fmt.Sprintf(
"%s.%s-%s-%s",
seKeyLabelPrefix,
vaultName,
hostname,
enrollmentDate,
), nil
return fmt.Sprintf("%s.%s-%s-%s", seKeyLabelPrefix, vaultName, hostname, enrollmentDate), nil
}
// CreateSecureEnclaveUnlocker creates a new SE unlocker.
// The vault's long-term private key is encrypted directly by the Secure Enclave
// using ECIES. No intermediate age keypair is used.
func CreateSecureEnclaveUnlocker(
fs afero.Fs,
stateDir string,
) (*SecureEnclaveUnlocker, error) {
func CreateSecureEnclaveUnlocker(fs afero.Fs, stateDir string) (*SecureEnclaveUnlocker, error) {
if err := checkMacOSAvailable(); err != nil {
return nil, err
}
@@ -238,20 +216,14 @@ func CreateSecureEnclaveUnlocker(
// Step 2: Get the vault's long-term private key
ltPrivKeyData, err := getLongTermKeyForSE(fs, vault)
if err != nil {
return nil, fmt.Errorf(
"failed to get long-term private key: %w",
err,
)
return nil, fmt.Errorf("failed to get long-term private key: %w", err)
}
defer ltPrivKeyData.Destroy()
// Step 3: Encrypt the long-term key directly with the SE (ECIES)
encryptedLtKey, err := macse.Encrypt(seKeyLabel, ltPrivKeyData.Bytes())
if err != nil {
return nil, fmt.Errorf(
"failed to encrypt long-term key with SE: %w",
err,
)
return nil, fmt.Errorf("failed to encrypt long-term key with SE: %w", err)
}
// Step 4: Create unlocker directory and write files
@@ -263,19 +235,13 @@ func CreateSecureEnclaveUnlocker(
unlockerDirName := fmt.Sprintf("se-%s", filepath.Base(seKeyLabel))
unlockerDir := filepath.Join(vaultDir, "unlockers.d", unlockerDirName)
if err := fs.MkdirAll(unlockerDir, DirPerms); err != nil {
return nil, fmt.Errorf(
"failed to create unlocker directory: %w",
err,
)
return nil, fmt.Errorf("failed to create unlocker directory: %w", err)
}
// Write SE-encrypted long-term key
ltKeyPath := filepath.Join(unlockerDir, seLongtermFilename)
if err := afero.WriteFile(fs, ltKeyPath, encryptedLtKey, FilePerms); err != nil {
return nil, fmt.Errorf(
"failed to write SE-encrypted long-term key: %w",
err,
)
return nil, fmt.Errorf("failed to write SE-encrypted long-term key: %w", err)
}
// Write metadata
@@ -308,10 +274,7 @@ func CreateSecureEnclaveUnlocker(
// getLongTermKeyForSE retrieves the vault's long-term private key
// either from the mnemonic env var or by unlocking via the current unlocker.
func getLongTermKeyForSE(
fs afero.Fs,
vault VaultInterface,
) (*memguard.LockedBuffer, error) {
func getLongTermKeyForSE(fs afero.Fs, vault VaultInterface) (*memguard.LockedBuffer, error) {
envMnemonic := os.Getenv(EnvMnemonic)
if envMnemonic != "" {
// Read vault metadata to get the correct derivation index
@@ -332,16 +295,9 @@ func getLongTermKeyForSE(
}
// Use mnemonic with the vault's actual derivation index
ltIdentity, err := agehd.DeriveIdentity(
envMnemonic,
metadata.DerivationIndex,
)
ltIdentity, err := agehd.DeriveIdentity(envMnemonic, metadata.DerivationIndex)
if err != nil {
return nil, fmt.Errorf(
"failed to derive long-term key from mnemonic: %w",
err,
)
return nil, fmt.Errorf("failed to derive long-term key from mnemonic: %w", err)
}
return memguard.NewBufferFromBytes([]byte(ltIdentity.String())), nil
@@ -354,29 +310,17 @@ func getLongTermKeyForSE(
currentIdentity, err := currentUnlocker.GetIdentity()
if err != nil {
return nil, fmt.Errorf(
"failed to get current unlocker identity: %w",
err,
)
return nil, fmt.Errorf("failed to get current unlocker identity: %w", err)
}
// All unlocker types store longterm.age in their directory
longtermPath := filepath.Join(
currentUnlocker.GetDirectory(),
"longterm.age",
)
longtermPath := filepath.Join(currentUnlocker.GetDirectory(), "longterm.age")
encryptedLtKey, err := afero.ReadFile(fs, longtermPath)
if err != nil {
return nil, fmt.Errorf(
"failed to read encrypted long-term key: %w",
err,
)
return nil, fmt.Errorf("failed to read encrypted long-term key: %w", err)
}
ltPrivKeyBuffer, err := DecryptWithIdentity(
encryptedLtKey,
currentIdentity,
)
ltPrivKeyBuffer, err := DecryptWithIdentity(encryptedLtKey, currentIdentity)
if err != nil {
return nil, fmt.Errorf("failed to decrypt long-term key: %w", err)
}

20
internal/secret/seunlocker_stub.go
View File

@@ -10,9 +10,7 @@ import (
"github.com/spf13/afero"
)
var errSENotSupported = fmt.Errorf(
"secure enclave unlockers are only supported on macOS",
)
var errSENotSupported = fmt.Errorf("secure enclave unlockers are only supported on macOS")
// SecureEnclaveUnlockerMetadata is a stub for non-Darwin platforms.
type SecureEnclaveUnlockerMetadata struct {
@@ -50,10 +48,7 @@ func (s *SecureEnclaveUnlocker) GetDirectory() string {
// GetID returns the unlocker ID.
func (s *SecureEnclaveUnlocker) GetID() string {
return fmt.Sprintf(
"%s-secure-enclave",
s.Metadata.CreatedAt.Format("2006-01-02.15.04"),
)
return fmt.Sprintf("%s-secure-enclave", s.Metadata.CreatedAt.Format("2006-01-02.15.04"))
}
// Remove returns an error on non-Darwin platforms.
@@ -63,11 +58,7 @@ func (s *SecureEnclaveUnlocker) Remove() error {
// NewSecureEnclaveUnlocker creates a stub SecureEnclaveUnlocker on non-Darwin platforms.
// The returned instance's methods that require macOS functionality will return errors.
func NewSecureEnclaveUnlocker(
fs afero.Fs,
directory string,
metadata UnlockerMetadata,
) *SecureEnclaveUnlocker {
func NewSecureEnclaveUnlocker(fs afero.Fs, directory string, metadata UnlockerMetadata) *SecureEnclaveUnlocker {
return &SecureEnclaveUnlocker{
Directory: directory,
Metadata: metadata,
@@ -76,9 +67,6 @@ func NewSecureEnclaveUnlocker(
}
// CreateSecureEnclaveUnlocker returns an error on non-Darwin platforms.
func CreateSecureEnclaveUnlocker(
_ afero.Fs,
_ string,
) (*SecureEnclaveUnlocker, error) {
func CreateSecureEnclaveUnlocker(_ afero.Fs, _ string) (*SecureEnclaveUnlocker, error) {
return nil, errSENotSupported
}