Blink: Secure Enclave for SSH Key Management
Secure Enclave is a hardware security engine in iDevices, which is able to handle ECC keypairs. The keypairs in Secure Enclave will never be exported and considered be secure.
There are a dozens of Demo Apps for it on GitHub:
SecureEnclaveCrypto
EllipticCurveKeyPair
......
Apple Documents
imlibra
All 7 comments
I don’t know if I understand you correctly, but I think we already do this. Keychain services APIs use Secure Enclave as a way to store data at rest and we have been using that since first version. We use a wrapper around Keychain APIs called UICKeyChainStore.
Closing here but let me know if you would like to see something else.
carloscabanero
on 6 Mar 2018
I think what's being asked here is to _generate_ the private key entirely within the Secure Enclave. A similar concept is available for desktop using SeKey as an SSH Agent.
omor1
on 2 Oct 2018
Hi @omor1.
‘config’ -> ‘+’ -> ‘Create new’ will generate the private key and store it in Secure Enclave.
yury
on 2 Oct 2018
@yury -- I think what's being asked for is that the key be kept ENTIRELY in the secure enclave, which would make it non-exportable. Currently only ED25519 keys work for this. You can also set a flag on the key that it requires biometry to use.
Right now, if I generate a key, it would seem I have an option to "copy private key". If that option is a no-op, it should be grayed out.
https://medium.com/@alx.gridnev/ios-keychain-using-secure-enclave-stored-keys-8f7c81227f4
thegushi
on 3 Jul 2020
@carloscabanero That’s exactly what I mean.
imlibra
on 13 Aug 2020
Reading over this, I realize this wasn’t totally clear — this is a requirement to GENERATE the key in the secure enclave and mark it non-exportable.
The logic in doing so is that the key is forever tied to your device. If you have three devices you’re using blink on, it’s three keys, rather than one private key you’ve copied to all the places.
If you lose/wipe your device, that key is effectively destroyed because it cannot be copied off (and also, cannot have been copied ON, since using things like SEkey on the mac requires that the SE be the generator).
Even if you use your fingerprint, enroll someone else’s finger, etc, the MOST you can do is re-use the key. You can’t obtain it.
Hope that makes more sense.
thegushi
on 14 Aug 2020
This would be great from a security point of view. Apparently, Termius supports it (https://docs.termius.com/termius-handbook/connecting-to-a-host/keychain/sep-secure-enclave-processor).
pzeinlinger
on 20 Aug 2020
Related issues
muammar
·
3Comments
dlasky
·
4Comments
basepi
·
5Comments
rekendahl
·
4Comments
webdog
·
4Comments
Most helpful comment
This would be great from a security point of view. Apparently, Termius supports it (https://docs.termius.com/termius-handbook/connecting-to-a-host/keychain/sep-secure-enclave-processor).