sc/sgard
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Step 24: DEK rotation.

Browse Source 
RotateDEK generates a new DEK, re-encrypts all encrypted blobs, and
re-wraps with all existing KEK slots (passphrase + FIDO2). CLI wired
as `sgard encrypt rotate-dek`. 4 tests covering rotation, persistence,
FIDO2 re-wrap, and requires-unlock guard.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-24 12:01:57 -07:00
parent 3fabd86150
commit 5529fff649
7 changed files with 428 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
PROJECT_PLAN.md
View File

@@ -246,9 +246,9 @@ Depends on Steps 17, 18.
### Step 24: DEK Rotation
- [ ] `garden/encrypt.go`: `RotateDEK(promptPassphrase func() (string, error)) error` — generate new DEK, re-encrypt all encrypted blobs, re-wrap with all existing KEK slots
- [ ] `cmd/sgard/encrypt.go`: `sgard encrypt rotate-dek`
- [ ] Tests: rotate DEK, verify all encrypted entries still decrypt correctly
- [x] `garden/encrypt.go`: `RotateDEK(promptPassphrase, fido2Device)` — generate new DEK, re-encrypt all encrypted blobs, re-wrap with all existing KEK slots
- [x] `cmd/sgard/encrypt.go`: `sgard encrypt rotate-dek`
- [x] Tests: rotate DEK, verify decryption, verify plaintext untouched, FIDO2 re-wrap, requires-unlock (4 tests)
### Step 25: Real FIDO2 Hardware Binding