- If I understand correctly, this means you can't back up the private key, correct? It's in the Secure Enclave, so if you lose your laptop, you also lose the key? Since it looks like export only really exports the public key not the private one?
Probably not the worst thing, you most likely have another way to get into the remote machine, or an admin who can reset you, but still feels like a hole.
Or am I missing something?
ps. It amuses me that my Mac won't let me type Secure Enclave without automatically capitalizing it.
Edit: I understand good security is having multiple keys, I was simply asking if this one can be backed up. OP answered below and is updating their webpage accordingly.
- Ok I wished for this kind of feature for years. I started using a yubikey with an ssh key via gpg ssh-agent in 2018 or 2019. When resident ssh keys came around I switched over to FIDO2 based keys on my yubikey. The main issue with both was the fact that the default ssh setup wasn’t working anymore. One needs extra configs and more commands to get to the public key etc. Yubikey’s are great but block an USB port. And then there is the age old question for me: One SSH key per User for all services? One key per machine for all services? Or one key per service?
This year I started to play around with the 1Password ssh-agent feature (bit warden has it as well as far as I know)
If you're ok with allowing all your keys being listed in the agent this works pretty easy out of the box.
I never liked the fact that the default recommended way to use ssh is to use an agent that just has multiple keys which can be tested one after another and in most cases stay unlocked there after first use for the rest of the session.
I configured around to make sure that I explicitly use one key for one specific service. But that is sadly extra configuration etc etc.
- This is a good moment to remind everyone of this excellent guide: https://github.com/drduh/YubiKey-Guide
it describes how to use your YubiKeys (please always use at least two, so that you have a backup) for GnuPG keys and SSH.
I've been using this setup since 2018 and it is brilliant. I know GnuPG is not in fashion these days, but thanks to this setup I have SSH logins using YubiKeys, encrypted backups using GnuPG, and 2-factor authentication for a number of sites that support Webauthn. All with backup keys, which is IMPORTANT: do not get locked into using a single device, because sooner or later you will lose that device or it will suddenly die.
- side note: It's interesting that the `sc_auth` CLI tool to create the SSH key, is just a bash script! It seems truly ancient, and has comments referencing mac OS Tiger (20+ years old) and non-existent files from old macOS. It calls out to '/System/Library/Frameworks/CryptoTokenKit.framework/ctkcard' (not on PATH) to actually create the ssh key.
- Secretive is a bit friendlier to set up but I'll probably switch to this anyway so I have one less app on my computer.
Plugging my blog post for how to achieve this on Windows 11:
https://cedwards.xyz/tpm-backed-ssh-keys-on-windows-11/
- If you're willing to go a bit further you can also do GPG signing with ECDSA, though it requires a patched GPG due to bugs and a patched SSH agent that allows raw signing. We have a packaged version with a macOS UI [0], but the same backend [1] works on Linux using the tpm via PKCS#11.
We have a blog post on this, but I guess it was never made public, but the only difference between GPG and SSH is the way in which keys and signatures are wrapped and listed through the various layers -- it's all just fundamentally ECDSA with a named curve.
[0] https://github.com/KeetaNetwork/agent
[1] https://github.com/KeetaNetwork/agent/tree/main/Agent/gnupg/...
by redleader55
1 subcomments
- This exists: https://github.com/facebookincubator/sks.
It's a golang library that abstracts usage of ssh keys backed by hardware on all sorts of devices - mostly designed for laptops, but supports Linux, Windows and MacOs
by epistasis
1 subcomments
- Whoa, that is pretty cool.
I've been using Secretive for years, and prefer it to all the physical key/card based systems I've tried to get going over the years. I know exactly when my SSH key is used for any operation, because I need to hit a button or do a fingerprint scan. I can keep ssh-agent tunnels to remote boxes so that I can sign git commits remotely without having to worry about a rogue system getting complete access to key ops without me knowing what's going on.
However the Tahoe version of secretive is buggy and frequently locks up on initial key op requests. I don't have the bandwidth to debug it and file a bug report, and honesty I'm not sure I want to relearn all that knowledge of SSH to figure it out.
I think the smart card SSH UX is worse than secretive's, IIRC my past pain, but if it is reliable, worth a shot.
by adastra22
1 subcomments
- Is there a way to make the lifetime of the key last more than a year?
- How can I get such a key into my iPhone too, so that I can sign emails and file and such with the same private key when I'm on my phone, and my public key is valid for all such operations ? Will iCloud take care of that ? And then I want it all usable from my (multiple) email clients...
by jcalvinowens
1 subcomments
- Does the hardware only support the NIST curves? Or is that just the example that happens to be given?
by watermelon0
1 subcomments
- Does anybody know why 'p-384-ne' (instead of 'p-256-ne') cannot be used?
Key can be generated, but 'ssh-keygen -w /usr/lib/ssh-keychain.dylib -K -N ""' cannot find the key to export.
- Time to up my game and finish adding new features to KeyMux, which supports enclave keys for SSH, SSL, and PGP, including in mixed-use scenarios, such as secure enclave-backed SSL peer authentication to a Vault server for SSH authentication with a non-exportable Vault private key: https://keymux.com/ (https://apps.apple.com/us/app/keymux/id6448807557)
by procaryote
0 subcomment
- Oh, this is neat! I wonder if apple just added support for the secure enclave as a provider or if this might help fix the bad experience of yubikeys on the mac. Last time I tried it, the distributed ssh and ssh-agent didn't play well with security keys
- Fundamental services like DNS, which was designed as distributed going down was the cause last 2 outages and really need to think of alternatives methods to ensure resilience. Shift left, design better.
- Does anybody know if there is something similar for gpg keys? E.g. for commit signing?
That is, natively with the Secure Enclave, not exportable.
by daft_pink
1 subcomments
- Why would you want the private key file if you store it within the secure enclave?
- This is just so perfect. No longer a 3rd party glue and separate ssh agent is needed.
- This may be the thing to get me to upgrade to MacOS 26.
by traceroute66
0 subcomment
- Awesome.
Won't be ditching Yubikeys just yet but I can see a number of use-cases for this already.
by adastra22
1 subcomments
- I’m a bit confused as to why you can export the keys. Can someone explain this?
- The command is available on Sequoia too!
by burnt-resistor
1 subcomments
- This isn't such a great idea for personal SSH or GPG keys that should be locked away in physical hardware thing that need to be moved to other devices/machines. What security processors are great for is corporate machine, system/service, and user key management IdM/MDM processes that need secret storage.
Furthermore, with portable devices like Yubikey it's possible to create a master Certify-only GPG key where the sub Signature/Encryption/Authentication-subkeys live on the Yubikey. The encrypted C private key part with the S/E/A stubs still needs to be backed-up to some durable, versioned storage that isn't tied to one device.
Finally, use GPG for SSH. And definely avoid file-based SSH local private key management for wherever possible for anything substantial because it doesn't scale well.
- Its worth noting that this is the likely NSA backdoored curve under the hood and probably should not be used.
- It feels pretty good.
by WhereIsTheTruth
1 subcomments
- I would not trust it personally, specially since the Chip Security Act is looming
https://www.centerforcybersecuritypolicy.org/insights-and-re...
- nvm
- It's a total pain in the ass to try to have password encrypted gpg or ssh keys in mac. Nothing better that another way to make it even more painful and complicated, so that people will just store plain text keys to not be annoyed.
Hacker News