Step 25: Real FIDO2 hardware key support.

HardwareFIDO2 implements FIDO2Device via go-libfido2 (CGo bindings to Yubico's libfido2). Gated behind //go:build fido2 tag to keep default builds CGo-free. Nix flake adds sgard-fido2 package variant. CLI changes: --fido2-pin flag, unlockDEK helper tries FIDO2 first, add-fido2/encrypt init --fido2 use real hardware, auto-unlock added to restore/checkpoint/diff for encrypted entries. Tested manually: add-fido2, add --encrypt, restore, checkpoint, diff all work with hardware FIDO2 key (touch-to-unlock, no passphrase). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 12:40:46 -07:00
parent 5529fff649
commit 490db0599c
17 changed files with 358 additions and 34 deletions
--- a/README.md
+++ b/README.md
@@ -224,6 +224,22 @@ is wrapped by a passphrase-derived key (Argon2id). FIDO2 hardware keys
 are also supported as an alternative KEK source — sgard tries FIDO2
 first and falls back to passphrase automatically.

+### FIDO2 hardware keys
+
+Build with `-tags fido2` (requires libfido2) to enable real hardware
+key support, or use `nix build .#sgard-fido2`:
+
+```sh
+# Register a FIDO2 key (touch required)
+sgard encrypt add-fido2
+
+# With a PIN-protected device
+sgard encrypt add-fido2 --fido2-pin 1234
+
+# Unlock is automatic — FIDO2 is tried first, passphrase as fallback
+sgard restore   # touch your key when prompted
+```
+
 The encryption config (wrapped DEKs, salts) lives in the manifest, so
 it syncs with push/pull. The server never has the DEK.