Store SSH keys in the Secure Enclave
Go to file
Max Goedjen 4ab3783a15
Switch to Xcode 13.1 (#254)
* Update release.yml

* Update test.yml
2021-11-07 20:24:42 +00:00
.github Switch to Xcode 13.1 (#254) 2021-11-07 20:24:42 +00:00
Brief Build with Xcode 13 (#226) 2021-09-23 04:10:04 +00:00
BriefTests Build with Xcode 13 (#226) 2021-09-23 04:10:04 +00:00
Config Fix broken updater check (#145) 2020-09-22 00:17:22 -07:00
SecretAgent Add internet access policy (#199) 2021-01-17 15:59:35 -08:00
SecretAgentKit Restore changes for Big Sur images. (#160) 2020-11-11 15:32:28 -08:00
SecretAgentKitTests Build with Xcode 13 (#226) 2021-09-23 04:10:04 +00:00
Secretive Embed detail in scrollview (#241) 2021-09-25 22:12:35 +00:00
Secretive.xcodeproj Add option to rename keys/secrets (#216) 2021-05-31 23:20:38 -07:00
SecretiveTests MIT licensing notices 2020-03-19 21:36:25 -07:00
SecretKit Add option to rename keys/secrets (#216) 2021-05-31 23:20:38 -07:00
SecretKitTests Add support for SHA256 fingerprints (#198) 2021-01-17 16:16:38 -08:00
.gitignore Update for Big Sur & SwiftUI 2 (#128) 2020-09-21 23:12:50 -07:00
APP_CONFIG.md Update APP_CONFIG.md with configuration for Cyberduck (#243) 2021-10-19 03:14:29 +00:00
CODE_OF_CONDUCT.md Add CoC 2020-03-14 21:31:45 -07:00
CONTRIBUTING.md . (#221) 2021-06-01 00:21:58 -07:00
FAQ.md Update FAQ.md (#176) 2020-11-25 16:00:04 -08:00
Icon.sketch Update readme assets for design changes (#204) 2021-01-18 18:12:19 -08:00
LICENSE Initial commit 2020-02-18 19:34:46 -08:00
README.md brew cask install is deprecated (#192) 2021-01-17 13:37:30 -08:00
SECURITY.md Create SECURITY.md (#123) 2020-07-12 15:14:40 -07:00

Secretive Test Release

Secretive is an app for storing and managing SSH keys in the Secure Enclave. It is inspired by the sekey project, but rewritten in Swift with no external dependencies and with a handy native management app.

Screenshot of Secretive

Why?

Safer Storage

The most common setup for SSH keys is just keeping them on disk, guarded by proper permissions. This is fine in most cases, but it's not super hard for malicious users or malware to copy your private key. If you store your keys in the Secure Enclave, it's impossible to export them, by design.

Access Control

If your Mac has a Secure Enclave, it also has support for strong access controls like Touch ID, or authentication with Apple Watch. You can configure your key so that they require Touch ID (or Watch) authentication before they're accessed.

Screenshot of Secretive authenticating with Touch ID

Notifications

Secretive also notifies you whenever your keys are accessed, so you're never caught off guard.

Screenshot of Secretive notifying the user

Support for Smart Cards Too!

For Macs without Secure Enclaves, you can configure a Smart Card (such as a YubiKey) and use it for signing as well.

Getting Started

Installation

Direct Download

You can download the latest release over on the Releases Page

Using Homebrew

brew install secretive

FAQ

There's a FAQ here.

Auditable Build Process

Builds are produced by GitHub Actions with an auditable build and release generation process. Each build has a "Document SHAs" step, which will output SHA checksums for the build produced by the GitHub Action, so you can verify that the source code for a given build corresponds to any given release.

A Note Around Code Signing and Keychains

While Secretive uses the Secure Enclave for key storage, it still relies on Keychain APIs to access them. Keychain restricts reads of keys to the app (and specifically, the bundle ID) that created them. If you build Secretive from source, make sure you are consistent in which bundle ID you use so that the Keychain is able to locate your keys.

Backups and Transfers to New Machines

Because secrets in the Secure Enclave are not exportable, they are not able to be backed up, and you will not be able to transfer them to a new machine. If you get a new Mac, just create a new set of secrets specific to that Mac.

Security

If you discover any vulnerabilities in this project, please notify max.goedjen@gmail.com with the subject containing "SECRETIVE SECURITY."