Unlock your SSH keys via Touch ID 💻 or your Apple Watch ⌚️.
Let the hardware Secure Enclave built into your computer handle SSH key management for you. The Secure Enclave generates, stores and performs encryption/decryption operations around your SSH keys.
- Your private keys are stored in the Secure Enclave and cannot be accessed.
- Your keys cannot be used without authentication (via Touch ID or your Apple Watch).
- All cryptographic operations are done within the Secure Enclave.
- Provides two factor authentication (2FA) for SSH.
- Authenticate using Touch ID 💻.
- Authenticate using an Apple Watch ⌚️.
- Modern shell support (including fish 🐟, and shell auto-completion).
- Supports multiple SSH keys.
- Works alongside the original ssh-agent.
- Uses CryptoKit for cryptographic operations.
- Only computers with a Secure Enclave are supported.
- Existing keys cannot be imported.
- Only supports 256-bit elliptic curve keys.
- Compatible with macOS starting with Catalina (10.15+)
Secure Agent provides a command line tool named secure-agent.
It behaves like ssh-agent with the exception of the key management, which is done via the Secure Enclave.
Create a key
$ secure-agent generate github key 'github' was generated
This creates a new key named "github".
Export a key
$ secure-agent export github ecdsa-sha2-nistp256 p1baAeVXysC2IKgrJU9lsseJER1roZs/nEAW9D3gjVyXN+ukLAzEMyk=
This exports the public key you can use to register your key in github or on your servers.
Delete a key
$ secure-agent delete github key 'github' was deleted
This deletes the key named "github".
Specify a key per host
First, export the key you wish to use
$ secure-agent export github > ~/.ssh/github.pub
Finally, configure your ssh client.
$ nano ~/.ssh/config Host github.com IdentityAgent $SECURE_AGENT_SOCK IdentityFile ~/.ssh/github.pub IdentitiesOnly yes
Run the agent manually
$ secure-agent daemon set -x SSH_AUTH_SOCK /var/folders/hc/q66vt_l21qqk0ly17xf80gn/T/agent.17389; set -x SSH_AGENT_PID 17389;
The daemon subcommand behaves like ssh-agent so you can easily drop it in your shell configuration as is. The agent will also run as a macOS service without any configuration needed.