enrollment

func BuildProfile ¶

func BuildProfile(profileName string, threshold int, enrollments []Enrollment) error

BuildProfile takes completed enrollments, generates a master key, splits it via Shamir, encrypts shares, computes the integrity HMAC, and saves the profile.

func NonInteractiveWarning ¶

func NonInteractiveWarning(threshold int, enrollments []Enrollment) string

NonInteractiveWarning checks whether the threshold can be met entirely by non-interactive providers (e.g., tpm, ssh-agent) — meaning the key could be derived without any human interaction. Returns a warning message or "".

func RecoveryWarning ¶

func RecoveryWarning(threshold int, enrollments []Enrollment) string

RecoveryWarning checks whether the enrolled providers have enough non-hardware providers (passphrase, recovery) to meet the threshold in the event of total hardware loss. Returns a warning message or "".

func WriteProfile ¶

func WriteProfile(profileName string, threshold int, masterKey, outputSalt []byte, enrollments []Enrollment) error

WriteProfile builds and atomically writes a profile using the supplied master key and output salt instead of generating them. It splits the master key via Shamir across the given enrollments, encrypts each share with the corresponding provider secret, computes the integrity HMAC, and saves.

Used by both BuildProfile (which provides random K and salt) and the rekey command (which preserves the existing K and salt so already-derived output keys remain valid). The caller retains ownership of masterKey and outputSalt; this function does not wipe them.