Step 24: DEK rotation.

RotateDEK generates a new DEK, re-encrypts all encrypted blobs, and re-wraps with all existing KEK slots (passphrase + FIDO2). CLI wired as `sgard encrypt rotate-dek`. 4 tests covering rotation, persistence, FIDO2 re-wrap, and requires-unlock guard. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 12:01:57 -07:00
parent 3fabd86150
commit 5529fff649
7 changed files with 428 additions and 9 deletions
--- a/README.md
+++ b/README.md
@@ -150,6 +150,7 @@ but doesn't touch its contents.
 | `encrypt remove-slot <name>` | Remove a KEK slot |
 | `encrypt list-slots` | List all KEK slots |
 | `encrypt change-passphrase` | Change the passphrase |
+| `encrypt rotate-dek` | Generate new DEK and re-encrypt all encrypted blobs |
 | `add --encrypt <path>...` | Track files with encryption |

 ### Remote sync