internal/cli/init.go

@@ -7,10 +7,12 @@ import (
 	"path/filepath"
 	"strings"
 
+	"filippo.io/age"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
+	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 	"github.com/tyler-smith/go-bip39"
 )
@@ -152,8 +154,35 @@ func (cli *Instance) Init(cmd *cobra.Command) error {
 		return fmt.Errorf("failed to create unlocker: %w", err)
 	}
 
-	// Note: CreatePassphraseUnlocker already encrypts and writes the long-term
-	// private key to longterm.age, so no need to do it again here.
+	// Encrypt long-term private key to the unlocker
+	unlockerDir := passphraseUnlocker.GetDirectory()
+
+	// Read unlocker public key
+	unlockerPubKeyData, err := afero.ReadFile(cli.fs, filepath.Join(unlockerDir, "pub.age"))
+	if err != nil {
+		return fmt.Errorf("failed to read unlocker public key: %w", err)
+	}
+
+	unlockerRecipient, err := age.ParseX25519Recipient(string(unlockerPubKeyData))
+	if err != nil {
+		return fmt.Errorf("failed to parse unlocker public key: %w", err)
+	}
+
+	// Encrypt long-term private key to unlocker
+	// Use memguard to protect the private key in memory
+	ltPrivKeyBuffer := memguard.NewBufferFromBytes([]byte(ltIdentity.String()))
+	defer ltPrivKeyBuffer.Destroy()
+
+	encryptedLtPrivKey, err := secret.EncryptToRecipient(ltPrivKeyBuffer, unlockerRecipient)
+	if err != nil {
+		return fmt.Errorf("failed to encrypt long-term private key: %w", err)
+	}
+
+	// Write encrypted long-term private key
+	ltPrivKeyPath := filepath.Join(unlockerDir, "longterm.age")
+	if err := afero.WriteFile(cli.fs, ltPrivKeyPath, encryptedLtPrivKey, secret.FilePerms); err != nil {
+		return fmt.Errorf("failed to write encrypted long-term private key: %w", err)
+	}
 
 	if cmd != nil {
 		cmd.Printf("\nDefault vault created and configured\n")