Kyle Isom
490db0599c
HardwareFIDO2 implements FIDO2Device via go-libfido2 (CGo bindings to Yubico's libfido2). Gated behind //go:build fido2 tag to keep default builds CGo-free. Nix flake adds sgard-fido2 package variant. CLI changes: --fido2-pin flag, unlockDEK helper tries FIDO2 first, add-fido2/encrypt init --fido2 use real hardware, auto-unlock added to restore/checkpoint/diff for encrypted entries. Tested manually: add-fido2, add --encrypt, restore, checkpoint, diff all work with hardware FIDO2 key (touch-to-unlock, no passphrase). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
13 lines
339 B
Go
13 lines
339 B
Go
package main
|
|
|
|
import "github.com/kisom/sgard/garden"
|
|
|
|
var fido2PinFlag string
|
|
|
|
// unlockDEK attempts to unlock the DEK, trying FIDO2 hardware first
|
|
// (if available) and falling back to passphrase.
|
|
func unlockDEK(g *garden.Garden) error {
|
|
device := garden.DetectHardwareFIDO2(fido2PinFlag)
|
|
return g.UnlockDEK(promptPassphrase, device)
|
|
}
|