• JohnnyB
  • Posted byby JohnnyB

Native Secure Enclave-Based SSH Keys on macOS

Apple’s macOS Tahoe now supports generating and using SSH keys backed by the Secure Enclave, replacing third-party tools like Secretive. This integration leverages existing shared libraries, particula

Apple’s macOS Tahoe now supports generating and using SSH keys backed by the Secure Enclave, replacing third-party tools like Secretive. This integration leverages existing shared libraries, particularly /usr/lib/ssh-keychain.dylib, which historically added smartcard support through the PKCS11Provider interface. Recently, it also adopted the SecurityKeyProvider interface, typically used for FIDO2 devices such as Yubikeys, enabling direct communication with the Secure Enclave for SSH key operations.

Creating Secure Enclave-backed SSH Keys
To set up a biometric-secured SSH key, run the command:
% sc_auth create-ctk-identity -l ssh -k p-256-ne -t bio
This prompts TouchID authentication. Confirm the key’s creation with:
% sc_auth list-ctk-identities

You can verify the key’s fingerprint data using:
% sc_auth list-ctk-identities -t ssh

Keys can also be deleted with the command:
% sc_auth delete-ctk-identity -h

Using Keys with SSH
The key pair can be “downloaded” from the Secure Enclave via:
% ssh-keygen -w /usr/lib/ssh-keychain.dylib -K -N “”
Note: You may need to authenticate with TouchID. The “private” key here is a reference to the FIDO credential and contains no secret material. You can copy the public key to your authorized keys file and connect:
% ssh-copy-id -i id_ecdsa_sk_rk localhost
% ssh -o SecurityKeyProvider=/usr/lib/ssh-keychain.dylib localhost

Integrating with SSH Agent
Alternatively, you can add the key directly to ssh-agent:
% ssh-add -K -S /usr/lib/ssh-keychain.dylib
This makes your Secure Enclave key available without manual file management. Subsequent SSH commands can then use it seamlessly, especially if you set the environment variable:
export SSH_SK_PROVIDER=/usr/lib/ssh-keychain.dylib

Exportable Keys
A fallback option allows exporting a key where the private component is encrypted using the Secure Enclave rather than generated within it. This approach offers flexibility but maintains the security benefits of hardware-backed keys.

Conclusion
macOS Tahoe’s support for Secure Enclave-backed SSH keys enhances security and usability, providing seamless biometric authentication and hardware-backed cryptography integrated directly into the operating system’s native tools.

FAQs

Q: Can I use my TouchID as an SSH key authenticator on macOS?
A: Yes, with the new support, TouchID can securely authenticate SSH keys stored in the Secure Enclave.

Q: Do I need third-party tools to generate Secure Enclave-backed SSH keys?
A: No, macOS Tahoe’s built-in tools now support generating and managing these keys without additional software.

Q: How secure are Secure Enclave-backed SSH keys?
A: They offer high security by storing private keys within the Secure Enclave, protected by biometric authentication and hardware security features.

More Reading

Post navigation

Leave a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

If you like this post you might also like these

back to top