Native Secure Enclave backed SSH keys on macOS
11 hours ago
- #SSH
- #MacOS
- #Security
- MacOS Tahoe can generate and use secure-enclave backed SSH keys, replacing projects like Secretive.
- The shared library `/usr/lib/ssh-keychain.dylib` now supports loading keys directly from the secure enclave via `SecurityKeyProvider`.
- Create a Secure Enclave backed key requiring biometrics with `sc_auth create-ctk-identity -l ssh -k p-256-ne -t bio`.
- List created keys with `sc_auth list-ctk-identities` or `sc_auth list-ctk-identities -t ssh` for SSH fingerprints.
- Delete keys using `sc_auth delete-ctk-identity -h <Public Key Hash>`.
- Download public/private keypairs from the secure enclave with `ssh-keygen -w /usr/lib/ssh-keychain.dylib -K -N ""`.
- Use `ssh-copy-id -i id_ecdsa_sk_rk localhost` to copy the public key to authorized keys.
- Make keys available directly to `ssh-agent` with `ssh-add -K -S /usr/lib/ssh-keychain.dylib`.
- Configure `SecurityKeyProvider` in `.ssh/config` or set `export SSH_SK_PROVIDER=/usr/lib/ssh-keychain.dylib` in `.zprofile` for broader compatibility.