2 files changed, 22 insertions, 1 deletions

diff --git a/actions/context.go b/actions/context.go
index 8bf0287..fb25b54 100644
--- a/actions/context.go
+++ b/actions/context.go
@@ -44,7 +44,7 @@ var (
 	ErrBadConfigFile    = errors.New("global config file has invalid data")
 	ErrConfigFileExists = errors.New("global config file already exists")
 	ErrBadConfig        = errors.New("invalid Config structure provided")
-	ErrLocked           = errors.New("method needs a call to Unlock() first")
+	ErrLocked           = errors.New("key needs to be unlocked first")
 )
 
 // Context contains the necessary global state to perform most of fscrypt's
diff --git a/actions/policy.go b/actions/policy.go
index 0d0ed02..1291e6b 100644
--- a/actions/policy.go
+++ b/actions/policy.go
@@ -248,6 +248,27 @@ func (policy *Policy) Unlock(optionFn OptionFunc, keyFn KeyFunc) error {
 	return err
 }
 
+// UnlockWithProtector uses an unlocked Protector to unlock a policy. An error
+// is returned if the Protector is not yet unlocked or does not protect the
+// policy. Does nothing if policy is already unlocked.
+func (policy *Policy) UnlockWithProtector(protector *Protector) error {
+	if policy.key != nil {
+		return nil
+	}
+	if protector.key == nil {
+		return ErrLocked
+	}
+	idx, ok := policy.findWrappedKeyIndex(protector.Descriptor())
+	if !ok {
+		return ErrNotProtected
+	}
+
+	var err error
+	wrappedPolicyKey := policy.data.WrappedPolicyKeys[idx].WrappedKey
+	policy.key, err = crypto.Unwrap(protector.key, wrappedPolicyKey)
+	return err
+}
+
 // Lock wipes a Policy's internal Key. It should always be called after using a
 // Policy. This is often done with a defer statement. There is no effect if
 // called multiple times.