Step 19: Encryption CLI, slot management, proto updates.

CLI: sgard encrypt init [--fido2], add-fido2 [--label], remove-slot, list-slots, change-passphrase. sgard add --encrypt flag with passphrase prompt for DEK unlock. Garden: RemoveSlot (refuses last slot), ListSlots, ChangePassphrase (re-wraps DEK with new passphrase, fresh salt). Proto: ManifestEntry gains encrypted + plaintext_hash fields. New KekSlot and Encryption messages. Manifest gains encryption field. server/convert.go: full round-trip conversion for encryption section including KekSlot map. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 09:25:20 -07:00
parent 5bb65795c8
commit 76a53320c1
8 changed files with 661 additions and 125 deletions
--- a/PROGRESS.md
+++ b/PROGRESS.md
@@ -7,7 +7,7 @@ ARCHITECTURE.md for design details.

 ## Current Status

-**Phase:** Phase 3 in progress. Steps 17–18 complete, ready for Step 19.
+**Phase:** Phase 3 in progress. Steps 17–19 complete, ready for Step 20.

 **Last updated:** 2026-03-24

@@ -42,7 +42,7 @@ ARCHITECTURE.md for design details.

 ## Up Next

-Step 19: Encryption CLI + Slot Management.
+Step 20: Encryption Polish + Release.

 ## Known Issues / Decisions Deferred

@@ -80,3 +80,4 @@ Step 19: Encryption CLI + Slot Management.
 | 2026-03-24 | — | Phase 3 encryption design: selective per-file encryption, KEK slots (passphrase + fido2/label), manifest-embedded config. |
 | 2026-03-24 | 17 | Encryption core: Argon2id KEK, XChaCha20 DEK wrap/unwrap, selective per-file encrypt in Add/Checkpoint/Restore/Diff/Status. 10 tests. |
 | 2026-03-24 | 18 | FIDO2: FIDO2Device interface, AddFIDO2Slot, unlock resolution (fido2 first → passphrase fallback), mock device, 6 tests. |
+| 2026-03-24 | 19 | Encryption CLI: encrypt init/add-fido2/remove-slot/list-slots/change-passphrase, --encrypt on add, proto + convert updates. |