Add unlock and lock commands for decrypt-only operations

unlock: decrypts a LUKS volume without mounting. Idempotent — reports
existing cleartext device if already unlocked.

lock: locks a LUKS volume. If mounted, unmounts first (udisks2 with
privileged fallback) then locks. Idempotent — reports if already locked.

Both commands support alias completion and config resolution.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

cmd/add.go

@@ -0,0 +1,87 @@
+package cmd
+
+import (
+	"fmt"
+	"strings"
+
+	"git.wntrmute.dev/kyle/arca/internal/config"
+	"git.wntrmute.dev/kyle/arca/internal/udisks"
+	"github.com/spf13/cobra"
+)
+
+var addAlias string
+
+var addCmd = &cobra.Command{
+	Use:   "add <device>",
+	Short: "Add a device to the config",
+	Long:  "Detects a LUKS device via udisks2 and adds it to the config file with a default passphrase method.",
+	Args:  cobra.ExactArgs(1),
+	RunE:  runAdd,
+}
+
+func init() {
+	addCmd.Flags().StringVarP(&addAlias, "alias", "a", "", "alias name (default: first 8 chars of UUID)")
+	rootCmd.AddCommand(addCmd)
+}
+
+func runAdd(cmd *cobra.Command, args []string) error {
+	target := args[0]
+
+	client, err := udisks.NewClient()
+	if err != nil {
+		return fmt.Errorf("connecting to udisks2: %w", err)
+	}
+	defer client.Close()
+
+	// Find the device to get its UUID.
+	dev, err := client.FindDevice("", target)
+	if err != nil {
+		return err
+	}
+
+	if !dev.HasEncrypted {
+		return fmt.Errorf("%s is not a LUKS-encrypted device", target)
+	}
+
+	if dev.UUID == "" {
+		return fmt.Errorf("%s has no UUID", target)
+	}
+
+	cfg := config.Load()
+
+	// Check if already configured.
+	if existing := cfg.AliasFor(dev.UUID); existing != "" {
+		fmt.Printf("Device %s (UUID %s) already configured as %q\n", dev.DevicePath, dev.UUID, existing)
+		return nil
+	}
+
+	alias := addAlias
+	if alias == "" {
+		alias = aliasFromUUID(dev.UUID)
+	}
+
+	// Check for alias collision.
+	if _, exists := cfg.Devices[alias]; exists {
+		return fmt.Errorf("alias %q already in use — choose a different name with --alias", alias)
+	}
+
+	cfg.Devices[alias] = config.DeviceConfig{
+		UUID:    dev.UUID,
+		Methods: []string{"passphrase"},
+	}
+
+	if err := cfg.Save(); err != nil {
+		return fmt.Errorf("saving config: %w", err)
+	}
+
+	fmt.Printf("Added %s (UUID %s) as %q\n", dev.DevicePath, dev.UUID, alias)
+	return nil
+}
+
+func aliasFromUUID(uuid string) string {
+	clean := strings.ReplaceAll(uuid, "-", "")
+	if len(clean) > 8 {
+		clean = clean[:8]
+	}
+	return clean
+}

cmd/init.go

@@ -3,18 +3,17 @@ package cmd
 import (
 	"fmt"
 	"os"
-	"path/filepath"
-	"strings"
-
 
 	"git.wntrmute.dev/kyle/arca/internal/config"
 	"git.wntrmute.dev/kyle/arca/internal/udisks"
 	"github.com/godbus/dbus/v5"
 	"github.com/spf13/cobra"
-	"gopkg.in/yaml.v3"
 )
 
-var forceInit bool
+var (
+	forceInit bool
+	mergeInit bool
+)
 
 var initCmd = &cobra.Command{
 	Use:   "init",
@@ -25,17 +24,26 @@ var initCmd = &cobra.Command{
 
 func init() {
 	initCmd.Flags().BoolVarP(&forceInit, "force", "f", false, "overwrite existing config file")
+	initCmd.Flags().BoolVar(&mergeInit, "merge", false, "add new devices to existing config without overwriting")
+	initCmd.MarkFlagsMutuallyExclusive("force", "merge")
 	rootCmd.AddCommand(initCmd)
 }
 
 func runInit(cmd *cobra.Command, args []string) error {
 	cfgPath := config.Path()
 
+	// Load existing config for merge, or start fresh.
+	var cfg *config.Config
+	if mergeInit {
+		cfg = config.Load()
+	} else {
 		if !forceInit {
 			if _, err := os.Stat(cfgPath); err == nil {
-			return fmt.Errorf("config already exists at %s (use --force to overwrite)", cfgPath)
+				return fmt.Errorf("config already exists at %s (use --force to overwrite or --merge to add new devices)", cfgPath)
 			}
 		}
+		cfg = &config.Config{Devices: make(map[string]config.DeviceConfig)}
+	}
 
 	client, err := udisks.NewClient()
 	if err != nil {
@@ -53,43 +61,42 @@ func runInit(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("detecting root device: %w", err)
 	}
 
-	cfg := config.Config{
+	added := 0
-		Devices: make(map[string]config.DeviceConfig),
-	}
-
 	for _, dev := range encrypted {
 		if isRootBacking(dev.ObjectPath, rootBacking) {
 			fmt.Fprintf(os.Stderr, "Skipping %s (root filesystem)\n", dev.DevicePath)
 			continue
 		}
 
+		if cfg.HasUUID(dev.UUID) {
+			fmt.Fprintf(os.Stderr, "Skipping %s (already configured)\n", dev.DevicePath)
+			continue
+		}
+
 		alias := aliasFromUUID(dev.UUID)
 		cfg.Devices[alias] = config.DeviceConfig{
 			UUID:    dev.UUID,
 			Methods: []string{"passphrase"},
 		}
 		fmt.Fprintf(os.Stderr, "Found %s (UUID %s) -> alias %q\n", dev.DevicePath, dev.UUID, alias)
+		added++
 	}
 
-	if len(cfg.Devices) == 0 {
+	if added == 0 && !mergeInit {
 		fmt.Println("No non-root LUKS devices found.")
 		return nil
 	}
 
-	data, err := yaml.Marshal(&cfg)
+	if added == 0 && mergeInit {
-	if err != nil {
+		fmt.Println("No new devices to add.")
-		return fmt.Errorf("marshaling config: %w", err)
+		return nil
 	}
 
-	if err := os.MkdirAll(filepath.Dir(cfgPath), 0o755); err != nil {
+	if err := cfg.Save(); err != nil {
-		return fmt.Errorf("creating config directory: %w", err)
+		return fmt.Errorf("saving config: %w", err)
 	}
 
-	if err := os.WriteFile(cfgPath, data, 0o644); err != nil {
+	fmt.Printf("Config written to %s (%d device(s) added)\n", cfgPath, added)
-		return fmt.Errorf("writing config: %w", err)
-	}
-
-	fmt.Printf("Config written to %s\n", cfgPath)
 	return nil
 }
 
@@ -101,13 +108,3 @@ func isRootBacking(path dbus.ObjectPath, rootDevices []dbus.ObjectPath) bool {
 	}
 	return false
 }
-
-func aliasFromUUID(uuid string) string {
-	// Use first 8 chars of UUID as a stable alias.
-	// "b8b2f8e3-4cde-4aca-a96e-df9274019f9f" -> "b8b2f8e3"
-	clean := strings.ReplaceAll(uuid, "-", "")
-	if len(clean) > 8 {
-		clean = clean[:8]
-	}
-	return clean
-}

cmd/lock.go

@@ -0,0 +1,68 @@
+package cmd
+
+import (
+	"fmt"
+
+	"git.wntrmute.dev/kyle/arca/internal/config"
+	"git.wntrmute.dev/kyle/arca/internal/cryptsetup"
+	"git.wntrmute.dev/kyle/arca/internal/udisks"
+	"github.com/spf13/cobra"
+)
+
+var lockCmd = &cobra.Command{
+	Use:               "lock <device|alias>",
+	Short:             "Lock a LUKS volume without unmounting",
+	Long:              "Locks (closes) a LUKS volume. If the volume is mounted, it will be unmounted first.",
+	Args:              cobra.ExactArgs(1),
+	RunE:              runLock,
+	ValidArgsFunction: completeDeviceOrAlias,
+}
+
+func init() {
+	rootCmd.AddCommand(lockCmd)
+}
+
+func runLock(cmd *cobra.Command, args []string) error {
+	cfg := config.Load()
+	target := args[0]
+
+	client, err := udisks.NewClient()
+	if err != nil {
+		return fmt.Errorf("connecting to udisks2: %w", err)
+	}
+	defer client.Close()
+
+	devCfg := cfg.ResolveDevice(target)
+
+	dev, err := client.FindDevice(devCfg.UUID, target)
+	if err != nil {
+		return err
+	}
+
+	// Check if already locked.
+	cleartext, err := client.CleartextDevice(dev)
+	if err != nil {
+		fmt.Fprintf(cmd.ErrOrStderr(), "%s is already locked\n", target)
+		return nil
+	}
+
+	// If mounted, unmount first — can't lock a mounted device.
+	if mp, mounted := client.IsMounted(cleartext); mounted {
+		if err := client.Unmount(cleartext); err != nil {
+			if err := cryptsetup.Unmount(mp); err != nil {
+				return fmt.Errorf("unmounting before lock: %w", err)
+			}
+		}
+	}
+
+	// Lock: try udisks2 first, fall back to cryptsetup close.
+	if err := client.Lock(dev); err != nil {
+		mapperName := cryptsetup.MapperName(dev.DevicePath)
+		if err := cryptsetup.Close(mapperName); err != nil {
+			return fmt.Errorf("locking: %w", err)
+		}
+	}
+
+	fmt.Printf("Locked %s\n", target)
+	return nil
+}

cmd/mount.go

@@ -3,11 +3,13 @@ package cmd
 import (
 	"fmt"
 	"os"
+	"strings"
 
 	"git.wntrmute.dev/kyle/arca/internal/config"
 	"git.wntrmute.dev/kyle/arca/internal/cryptsetup"
 	"git.wntrmute.dev/kyle/arca/internal/udisks"
 	"git.wntrmute.dev/kyle/arca/internal/unlock"
+	"git.wntrmute.dev/kyle/arca/internal/verbose"
 	"github.com/spf13/cobra"
 	"golang.org/x/term"
 )
@@ -57,7 +59,18 @@ func runMount(cmd *cobra.Command, args []string) error {
 			fmt.Println(existing)
 			return nil
 		}
-		// Unlocked but not mounted — just mount it.
+		// Unlocked but not mounted — mount it. If the mapper name
+		// indicates arca opened it via cryptsetup (privileged path),
+		// use privileged mount since udisks2 won't authorize it.
+		if isPrivilegedMapping(dev) {
+			verbose.Printf("detected arca-managed mapping, using privileged mount")
+			mnt, err := cryptsetup.Mount(cleartext.DevicePath, mp)
+			if err != nil {
+				return fmt.Errorf("mounting: %w", err)
+			}
+			fmt.Println(mnt)
+			return nil
+		}
 		return doMount(client, cleartext, mp)
 	}
 
@@ -105,6 +118,14 @@ func doMount(client *udisks.Client, cleartext *udisks.BlockDevice, mp string) er
 	return nil
 }
 
+// isPrivilegedMapping checks if a LUKS device was opened via arca's
+// cryptsetup path by checking if the expected mapper name exists.
+func isPrivilegedMapping(dev *udisks.BlockDevice) bool {
+	expected := cryptsetup.MapperName(dev.DevicePath)
+	_, err := os.Stat("/dev/mapper/" + expected)
+	return err == nil && strings.HasPrefix(expected, "arca-")
+}
+
 func readPassphrase() (string, error) {
 	fmt.Fprint(os.Stderr, "Passphrase: ")
 	pass, err := term.ReadPassword(int(os.Stdin.Fd()))

cmd/unlock.go

@@ -0,0 +1,59 @@
+package cmd
+
+import (
+	"fmt"
+
+	"git.wntrmute.dev/kyle/arca/internal/config"
+	"git.wntrmute.dev/kyle/arca/internal/udisks"
+	"git.wntrmute.dev/kyle/arca/internal/unlock"
+	"github.com/spf13/cobra"
+)
+
+var unlockCmd = &cobra.Command{
+	Use:               "unlock <device|alias>",
+	Short:             "Unlock a LUKS volume without mounting",
+	Args:              cobra.ExactArgs(1),
+	RunE:              runUnlock,
+	ValidArgsFunction: completeDeviceOrAlias,
+}
+
+func init() {
+	rootCmd.AddCommand(unlockCmd)
+}
+
+func runUnlock(cmd *cobra.Command, args []string) error {
+	cfg := config.Load()
+	target := args[0]
+
+	client, err := udisks.NewClient()
+	if err != nil {
+		return fmt.Errorf("connecting to udisks2: %w", err)
+	}
+	defer client.Close()
+
+	devCfg := cfg.ResolveDevice(target)
+
+	dev, err := client.FindDevice(devCfg.UUID, target)
+	if err != nil {
+		return err
+	}
+
+	// Check if already unlocked.
+	if cleartext, err := client.CleartextDevice(dev); err == nil {
+		fmt.Printf("%s is already unlocked (%s)\n", target, cleartext.DevicePath)
+		return nil
+	}
+
+	u := unlock.New(client, unlock.Options{
+		ReadPassphrase: readPassphrase,
+		KeyfilePath:    devCfg.Keyfile,
+	})
+
+	result, err := u.Unlock(dev, devCfg.Methods)
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("Unlocked %s -> %s\n", target, result.Device.DevicePath)
+	return nil
+}

flake.nix

@@ -10,7 +10,7 @@
     let
       system = "x86_64-linux";
       pkgs = nixpkgs.legacyPackages.${system};
-      version = "1.1.0";
+      version = "1.2.0";
     in
     {
       packages.${system}.default = pkgs.buildGoModule {

internal/config/config.go

@@ -1,6 +1,7 @@
 package config
 
 import (
+	"fmt"
 	"os"
 	"path/filepath"
 
@@ -76,6 +77,31 @@ func resolvedFrom(dev DeviceConfig) ResolvedDevice {
 	}
 }
 
+// HasUUID returns true if a device with the given UUID is already configured.
+func (c *Config) HasUUID(uuid string) bool {
+	for _, dev := range c.Devices {
+		if dev.UUID == uuid {
+			return true
+		}
+	}
+	return false
+}
+
+// Save writes the config to the config file.
+func (c *Config) Save() error {
+	path := configPath()
+	if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil {
+		return fmt.Errorf("creating config directory: %w", err)
+	}
+
+	data, err := yaml.Marshal(c)
+	if err != nil {
+		return fmt.Errorf("marshaling config: %w", err)
+	}
+
+	return os.WriteFile(path, data, 0o644)
+}
+
 // AliasFor returns the config alias for a given UUID, or "" if none.
 func (c *Config) AliasFor(uuid string) string {
 	for name, dev := range c.Devices {

internal/cryptsetup/cryptsetup.go

@@ -64,7 +64,8 @@ func Mount(devicePath, mountpoint string) (string, error) {
 	return mountpoint, nil
 }
 
-// Unmount unmounts the given mountpoint using privileged umount.
+// Unmount unmounts the given mountpoint using privileged umount, then
+// removes the mount directory if it is empty.
 func Unmount(mountpoint string) error {
 	args := withPrivilege([]string{"umount", mountpoint})
 	cmd := exec.Command(args[0], args[1:]...)
@@ -73,6 +74,12 @@ func Unmount(mountpoint string) error {
 	if err := cmd.Run(); err != nil {
 		return fmt.Errorf("umount %s: %w", mountpoint, err)
 	}
+
+	// Clean up empty mount directory. Best-effort — ignore errors
+	// (directory may not be empty or may be a system path).
+	rmdirArgs := withPrivilege([]string{"rmdir", mountpoint})
+	exec.Command(rmdirArgs[0], rmdirArgs[1:]...).Run()
+
 	return nil
 }