sneak/secret
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
b9aaf8ddac5e64af291258fcbd0cc39d75434bc9
secret/internal/secret/seunlocker_stub.go
sneak 4adeeae1db Add Secure Enclave unlocker for hardware-backed secret protection 
Adds a new "secure-enclave" unlocker type that stores the vault's
long-term private key encrypted by a non-exportable P-256 key held
in the Secure Enclave hardware. Decryption (ECDH) is performed
inside the SE; the key never leaves the hardware.

Uses CryptoTokenKit identities created via sc_auth, which allows
SE access from unsigned binaries without Apple Developer Program
membership. ECIES (X963SHA256 + AES-GCM) handles encryption and
decryption through Security.framework.

New package internal/macse/ provides the CGo bridge to
Security.framework for SE key creation, ECIES encrypt/decrypt,
and key deletion. The SE unlocker directly encrypts the vault
long-term key (no intermediate age keypair).
2026-03-11 06:17:34 +07:00

64 lines
1.9 KiB
Go
Raw Blame History

//go:build !darwin
// +build !darwin
package secret
import (
"filippo.io/age"
"github.com/spf13/afero"
)
// SecureEnclaveUnlockerMetadata is a stub for non-Darwin platforms.
type SecureEnclaveUnlockerMetadata struct {
UnlockerMetadata
SEKeyLabel string `json:"seKeyLabel"`
SEKeyHash string `json:"seKeyHash"`
}
// SecureEnclaveUnlocker is a stub for non-Darwin platforms.
type SecureEnclaveUnlocker struct {
Directory string
Metadata UnlockerMetadata
fs afero.Fs
}
// GetIdentity panics on non-Darwin platforms.
func (s *SecureEnclaveUnlocker) GetIdentity() (*age.X25519Identity, error) {
panic("secure enclave unlockers are only supported on macOS")
}
// GetType panics on non-Darwin platforms.
func (s *SecureEnclaveUnlocker) GetType() string {
panic("secure enclave unlockers are only supported on macOS")
}
// GetMetadata panics on non-Darwin platforms.
func (s *SecureEnclaveUnlocker) GetMetadata() UnlockerMetadata {
panic("secure enclave unlockers are only supported on macOS")
}
// GetDirectory panics on non-Darwin platforms.
func (s *SecureEnclaveUnlocker) GetDirectory() string {
panic("secure enclave unlockers are only supported on macOS")
}
// GetID panics on non-Darwin platforms.
func (s *SecureEnclaveUnlocker) GetID() string {
panic("secure enclave unlockers are only supported on macOS")
}
// Remove panics on non-Darwin platforms.
func (s *SecureEnclaveUnlocker) Remove() error {
panic("secure enclave unlockers are only supported on macOS")
}
// NewSecureEnclaveUnlocker panics on non-Darwin platforms.
func NewSecureEnclaveUnlocker(_ afero.Fs, _ string, _ UnlockerMetadata) *SecureEnclaveUnlocker {
panic("secure enclave unlockers are only supported on macOS")
}
// CreateSecureEnclaveUnlocker panics on non-Darwin platforms.
func CreateSecureEnclaveUnlocker(_ afero.Fs, _ string) (*SecureEnclaveUnlocker, error) {
panic("secure enclave unlockers are only supported on macOS")
}
Reference in New Issue View Git Blame Copy Permalink