An SSH Agent Powered by Secure Enclave

Unlock your SSH keys via Touch ID 💻 or your Apple Watch ⌚️.

Let the hardware Secure Enclave built into your computer handle SSH key management for you. The Secure Enclave generates, stores and performs encryption/decryption operations around your SSH keys.

  • Your private keys are stored in the Secure Enclave and cannot be accessed.
  • Your keys cannot be used without authentication (via Touch ID or your Apple Watch).
  • All cryptographic operations are done within the Secure Enclave.
  • Provides two factor authentication (2FA) for SSH.
  • Authenticate using Touch ID 💻.
  • Authenticate using an Apple Watch ⌚️.
  • Modern shell support (including fish 🐟, and shell auto-completion).
  • Supports multiple SSH keys.
  • Works alongside the original ssh-agent.
  • Uses CryptoKit for cryptographic operations.
  • Only computers with a Secure Enclave are supported.
  • Existing keys cannot be imported.
  • Only supports 256-bit elliptic curve keys.
  • Compatible with macOS starting with Catalina (10.15+)


Secure Agent provides a command line tool named secure-agent.

It behaves like ssh-agent with the exception of the key management, which is done via the Secure Enclave.

Create a key

$ secure-agent generate github
key 'github' was generated

This creates a new key named "github".

Export a key

$ secure-agent export github
ecdsa-sha2-nistp256 p1baAeVXysC2IKgrJU9lsseJER1roZs/nEAW9D3gjVyXN+ukLAzEMyk=

This exports the public key you can use to register your key in github or on your servers.

Delete a key

$ secure-agent delete github
key 'github' was deleted

This deletes the key named "github".

Specify a key per host

First, export the key you wish to use

$ secure-agent export github > ~/.ssh/

Finally, configure your ssh client.

$ nano ~/.ssh/config
    IdentityAgent $SECURE_AGENT_SOCK
    IdentityFile ~/.ssh/
    IdentitiesOnly yes

Run the agent manually

$ secure-agent daemon
set -x SSH_AUTH_SOCK /var/folders/hc/q66vt_l21qqk0ly17xf80gn/T/agent.17389;
set -x SSH_AGENT_PID 17389;

The daemon subcommand behaves like ssh-agent so you can easily drop it in your shell configuration as is. The agent will also run as a macOS service without any configuration needed.