feat: fingerprint unlock (Linux/fprintd, off by default)#48
Merged
Conversation
`vault unlock --fingerprint` (and a TUI unlock-screen mode) re-unlock the keyring-held session after a fingerprint verified over D-Bus to the system `fprintd`, instead of re-typing the master password. This builds on the opt-in `agent.session_keyring`: a fingerprint yields only match/no-match, never key material, so it *gates the resume* of the key already in the kernel session keyring rather than wrapping a key at rest. With `agent.fingerprint_unlock` on, the agent no longer silently auto-resumes (it waits for a verified touch), idle-lock zeroises the in-memory key but KEEPS the keyring entry so a touch works after a timeout (lifetime `agent.fingerprint_ttl_secs`), and a manual `vault lock` still clears it. Verification happens inside the agent so a client can't bypass it over the socket; enrollment stays OS-level (`fprintd-enroll`) — Vault stores no template. Posture (PRD §7.3): the keyring entry is possessor-gated, so this is convenience + user-presence, NOT a cryptographic boundary beyond `session_keyring`, and strictly weaker than a master-password unlock. Default off, Linux-only, behind a new off-by-default `fingerprint` cargo feature (zbus). - vault-ipc: `Request::UnlockFingerprint` + `FingerprintUnavailable`/`Failed` - vault-config: `agent.fingerprint_unlock` / `fingerprint_ttl_secs` + spawn flags - vault-agent: fprintd zbus client (`fingerprint.rs`), dispatch, idle-lock/resume gating, `resume_from_keyring` helper - vault-cli: `vault unlock --fingerprint` - vault-tui: unlock-screen fingerprint mode (Tab cycles password/PIN/fingerprint) - docs/fingerprint.md, PRD §7.3, CHANGELOG, `just fingerprint` Tests cover config round-trip + flags, the resume gate, and the TUI mode/request. Full `just ci` green (clippy `--all-features` incl. the feature; deny/audit clean with zbus). Verified live: CLI fingerprint unlock against a real reader. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
vault unlock --fingerprint(and a TUI unlock-screen mode) re-unlock the keyring-held session after a fingerprint verified over D-Bus to the systemfprintd, instead of re-typing the master password.Design & posture
A fingerprint yields only match/no-match, never key material — so this can't cryptographically wrap a key at rest (that needs TPM2/FIDO2, out of scope). It instead gates the resume of the key already held in the kernel session keyring (the opt-in
agent.session_keyring). Withagent.fingerprint_unlockon:agent.fingerprint_ttl_secs);vault lockstill clears the keyring (master password required after);fprintd-enroll) — Vault stores no template.Posture (documented in PRD §7.3 +
docs/fingerprint.md): the keyring entry is possessor-gated, so fingerprint unlock is convenience + user-presence, not a cryptographic boundary stronger thansession_keyring, and strictly weaker than a master-password unlock. Default off, Linux-only, behind a new off-by-defaultfingerprintcargo feature (pullszbus).Surface
vault-ipc:Request::UnlockFingerprint+FingerprintUnavailable/FingerprintFailedvault-config:agent.fingerprint_unlock/agent.fingerprint_ttl_secs(+ auto-spawn flags)vault-agent: fprintd zbus client (src/fingerprint.rs, feature-gated), dispatch, idle-lock/resume gating,unlock::resume_from_keyringvault-cli:vault unlock --fingerprintvault-tui: unlock-screen fingerprint mode (Tabcycles password → PIN → fingerprint)docs/fingerprint.md, PRD §7.3, CHANGELOG,just fingerprintVerification
Full
just cigreen — clippy--all-featurescompiles + lints thefingerprint/zbus code;cargo deny/cargo auditclean against the zbus tree. New tests cover the config keys + spawn flags, the resume gate, and the TUI mode/request. Live-verified:vault unlock --fingerprintagainst a real reader (Synaptics, enrolled finger) — master-password unlock →stop-agent→ touch re-unlocks; manualvault lockthen correctly reports "no resumable session".Gracefully reports "unavailable" (→ master-password fallback) when the feature is off, non-Linux, no reader/
fprintd/enrolled finger, an inactive/SSH session, or no live keyring session.🤖 Generated with Claude Code