From 91ea660687b93dfa5d204558e62f8f96f098bb61 Mon Sep 17 00:00:00 2001
From: "Morgan J." <me@morgan.kr>
Date: Fri, 20 Mar 2026 03:17:37 +0900
Subject: [PATCH] add --change-pin to reseal with new password without
 re-enrolling

---
 src/main.rs | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/src/main.rs b/src/main.rs
index 910092a..4909197 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -37,6 +37,9 @@ struct Args {
 
     #[arg(long)]
     remove: bool,
+
+    #[arg(long)]
+    change_pin: bool,
 }
 
 fn user_hash(email: &str) -> String {
@@ -92,6 +95,35 @@ fn main() {
         return;
     }
 
+    if args.change_pin {
+        let uid = match store.find_key() {
+            Some(uid) => uid,
+            None => log::fatal("no enrolled key found"),
+        };
+
+        let old_pw = prompt(&format!("current {} password:", store.name()))
+            .unwrap_or_else(|| log::fatal("no password provided"));
+        let mut data = store
+            .load(&uid, &old_pw)
+            .unwrap_or_else(|e| log::fatal(&format!("unseal failed: {e}")));
+
+        let new_pw = prompt(&format!("new {} password:", store.name()))
+            .unwrap_or_else(|| log::fatal("no password provided"));
+        let new_pw2 = prompt(&format!("confirm {} password:", store.name()))
+            .unwrap_or_else(|| log::fatal("no password provided"));
+        if new_pw != new_pw2 {
+            log::fatal("passwords don't match");
+        }
+
+        store
+            .store(&uid, &data, &new_pw)
+            .unwrap_or_else(|e| log::fatal(&format!("seal failed: {e}")));
+        data.zeroize();
+        log::info("pin changed");
+        log::info("wiped key from memory");
+        return;
+    }
+
     if args.remove {
         let email = args
             .email