enrollment

package

v0.1.4 Latest Latest Go to latest Published: Apr 22, 2026 License: MIT Imports: 9 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/ekristen/cryptkey

Links

Open Source Insights

Documentation ¶

Overview ¶

Package enrollment contains the shared logic for enrolling providers and building a cryptkey profile. Both the TUI and simple CLI modes use this.

Index ¶

func BuildProfile(profileName string, threshold int, enrollments []Enrollment) error
func NonInteractiveWarning(threshold int, enrollments []Enrollment) string
func RecoveryWarning(threshold int, enrollments []Enrollment) string
func WriteProfile(profileName string, threshold int, masterKey, outputSalt []byte, ...) error
type Enrollment
- func EnrollProvider(ctx context.Context, p provider.Provider, id string) (*Enrollment, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func BuildProfile ¶

func BuildProfile(profileName string, threshold int, enrollments []Enrollment) error

BuildProfile takes completed enrollments, generates a master key, splits it via Shamir, encrypts shares, computes the integrity HMAC, and saves the profile.

func NonInteractiveWarning ¶

func NonInteractiveWarning(threshold int, enrollments []Enrollment) string

NonInteractiveWarning checks whether the threshold can be met entirely by non-interactive providers (e.g., tpm, ssh-agent) — meaning the key could be derived without any human interaction. Returns a warning message or "".

func RecoveryWarning ¶

func RecoveryWarning(threshold int, enrollments []Enrollment) string

RecoveryWarning checks whether the enrolled providers have enough non-hardware providers (passphrase, recovery) to meet the threshold in the event of total hardware loss. Returns a warning message or "".

func WriteProfile ¶

func WriteProfile(profileName string, threshold int, masterKey, outputSalt []byte, enrollments []Enrollment) error

WriteProfile builds and atomically writes a profile using the supplied master key and output salt instead of generating them. It splits the master key via Shamir across the given enrollments, encrypts each share with the corresponding provider secret, computes the integrity HMAC, and saves.

Used by both BuildProfile (which provides random K and salt) and the rekey command (which preserves the existing K and salt so already-derived output keys remain valid). The caller retains ownership of masterKey and outputSalt; this function does not wipe them.

Types ¶

type Enrollment ¶

type Enrollment struct {
	Provider provider.Provider
	ID       string
	Secret   []byte
	Params   map[string]string
	Message  string // optional message to display after enrollment
}

Enrollment holds the result of enrolling a single provider.

func EnrollProvider ¶

func EnrollProvider(ctx context.Context, p provider.Provider, id string) (*Enrollment, error)

EnrollProvider runs enrollment for a single provider and returns the result.

Source Files ¶

View all Source files

enrollment.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL