kyle/arca
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add config validation, remove command, status filtering, and unlock method display

Browse Source 
config check: validates UUID format, recognized methods, keyfile
consistency and existence. Reports all issues with alias context.

remove: deletes a device from config by alias. Inverse of add.

status: --mounted, --unlocked, --locked flags filter the device table.
Flags combine as OR.

mount/unlock: display which method succeeded and key slot used, e.g.
"(fido2, key slot 1)". cryptsetup Open now runs with -v and parses
"Key slot N unlocked" from stderr via io.MultiWriter.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-24 10:22:52 -07:00
parent ce10c41466
commit e9247c720a
9 changed files with 245 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
internal/unlock/unlock.go
View File

@@ -14,7 +14,9 @@ import (
// Result holds the outcome of a successful unlock.
type Result struct {
Device *udisks.BlockDevice
Privileged bool // true if unlock required root (cryptsetup path)
Privileged bool // true if unlock required root (cryptsetup path)
Method string // which method succeeded: "fido2", "tpm2", "passphrase", "keyfile"
KeySlot string // key slot used, from cryptsetup verbose output (or "")
}
// Options configures the unlock behavior.
@@ -58,19 +60,19 @@ func (u *Unlocker) tryMethod(dev *udisks.BlockDevice, method string) (*Result, e
if err != nil {
return nil, err
}
return &Result{Device: ct, Privileged: false}, nil
return &Result{Device: ct, Privileged: false, Method: method}, nil
case "keyfile":
ct, err := u.unlockKeyfile(dev)
if err != nil {
return nil, err
}
return &Result{Device: ct, Privileged: false}, nil
return &Result{Device: ct, Privileged: false, Method: method}, nil
case "fido2", "tpm2":
ct, err := u.unlockCryptsetup(dev)
ct, openResult, err := u.unlockCryptsetup(dev)
if err != nil {
return nil, err
}
return &Result{Device: ct, Privileged: true}, nil
return &Result{Device: ct, Privileged: true, Method: method, KeySlot: openResult.KeySlot}, nil
default:
return nil, fmt.Errorf("unknown unlock method: %s", method)
}
@@ -98,19 +100,20 @@ func (u *Unlocker) unlockKeyfile(dev *udisks.BlockDevice) (*udisks.BlockDevice,
return u.client.UnlockWithKeyfile(dev, contents)
}
func (u *Unlocker) unlockCryptsetup(dev *udisks.BlockDevice) (*udisks.BlockDevice, error) {
func (u *Unlocker) unlockCryptsetup(dev *udisks.BlockDevice) (*udisks.BlockDevice, cryptsetup.OpenResult, error) {
name := cryptsetup.MapperName(dev.DevicePath)
if err := cryptsetup.Open(dev.DevicePath, name); err != nil {
return nil, fmt.Errorf("%w (is the FIDO2/TPM2 key plugged in?)", err)
openResult, err := cryptsetup.Open(dev.DevicePath, name)
if err != nil {
return nil, openResult, fmt.Errorf("%w (is the FIDO2/TPM2 key plugged in?)", err)
}
// Wait for udisks2 to pick up the new dm device.
for i := 0; i < 10; i++ {
ct, err := u.client.CleartextDevice(dev)
if err == nil {
return ct, nil
return ct, openResult, nil
}
time.Sleep(200 * time.Millisecond)
}
return nil, fmt.Errorf("timed out waiting for udisks2 to discover cleartext device")
return nil, openResult, fmt.Errorf("timed out waiting for udisks2 to discover cleartext device")
}