Initial implementation of arca, a LUKS volume manager.

Go CLI using cobra with mount, unmount, status, and init subcommands.
Unlocks via udisks2 D-Bus (passphrase/keyfile) or cryptsetup (FIDO2/TPM2)
with ordered method fallback. Includes NixOS-specific LD_LIBRARY_PATH
injection for systemd cryptsetup token plugins.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/udisks/encrypt.go

@@ -0,0 +1,43 @@
+package udisks
+
+import (
+	"fmt"
+
+	"github.com/godbus/dbus/v5"
+)
+
+// Unlock unlocks a LUKS device with a passphrase and returns the cleartext device.
+func (c *Client) Unlock(dev *BlockDevice, passphrase string) (*BlockDevice, error) {
+	obj := c.conn.Object(busName, dev.ObjectPath)
+
+	var cleartextPath dbus.ObjectPath
+	err := obj.Call(ifaceEncrypted+".Unlock", 0, passphrase, noOptions()).Store(&cleartextPath)
+	if err != nil {
+		return nil, fmt.Errorf("unlocking %s: %w", dev.DevicePath, err)
+	}
+
+	return c.DeviceAtPath(cleartextPath)
+}
+
+// UnlockWithKeyfile unlocks a LUKS device with keyfile contents.
+func (c *Client) UnlockWithKeyfile(dev *BlockDevice, keyContents []byte) (*BlockDevice, error) {
+	obj := c.conn.Object(busName, dev.ObjectPath)
+
+	options := map[string]dbus.Variant{
+		"keyfile_contents": dbus.MakeVariant(keyContents),
+	}
+
+	var cleartextPath dbus.ObjectPath
+	err := obj.Call(ifaceEncrypted+".Unlock", 0, "", options).Store(&cleartextPath)
+	if err != nil {
+		return nil, fmt.Errorf("unlocking %s with keyfile: %w", dev.DevicePath, err)
+	}
+
+	return c.DeviceAtPath(cleartextPath)
+}
+
+// Lock locks a LUKS device.
+func (c *Client) Lock(dev *BlockDevice) error {
+	obj := c.conn.Object(busName, dev.ObjectPath)
+	return obj.Call(ifaceEncrypted+".Lock", 0, noOptions()).Err
+}