Using MacOS Secure Enclave with ssh

Sources:

The Secure Enclave
Native Secure Enclave backed ssh keys on MacOS
Laptops all have built-in security tokens these days
man sc_auth

Goal: generate and use secure-enclave backed SSH key.

Key Setup

Create a Secure Enclave backed key that requires touch-key verification:

sc_auth create-ctk-identity -l ssh -k p-256-ne -t bio

Show the key (note the key is valid for 1 year by default):

sc_auth  list-ctk-identities

To delete the key:

sc_auth delete-ctk-identity -h <Public Key Hash>

Use in ssh

Bad Idea: copy the key to your HD

Retrieve the keys from the secure enclave:

ssh-keygen -w /usr/lib/ssh-keychain.dylib -K -N ""

This creates id_ecdsa_sk_rk and id_ecdsa_sk_rk.pub. Move these into ~/.ssh.

But, wait, why would you want to store these outside the secure enclave? Delete these from your file system ASAP! You CAN spread the id_ecdsa_sk_rk.pub around though.

Better Idea: feed the key from the secure enclave to ssh-agent

Add a key from the enclave to ssh-agent:

ssh-add -K -S /usr/lib/ssh-keychain.dylib

To list all the keys:

ssh-add -L

Notes to Self

Alex Sokolsky's Notes on Computers and Programming

Using MacOS Secure Enclave with ssh

Key Setup

Use in ssh

Bad Idea: copy the key to your HD

Better Idea: feed the key from the secure enclave to ssh-agent