As far as I aware you can't actually do 100% of crypto needed for SSH auth inside the SEP itself. Might be I missed something, but I tried to find a way before and there was none. This would obviously be most secure.

What you can do though is use Secure Enclave powered app for storing and managing access to the keys. So basically app like "secretive" run on your normal OS, but isolated and only it can access keys, use them and there no export function even with admin privileges.

AFAIK this will fail if there is a local root exploit on macOS, but still much better than keeping keys in plain text.

▲

cyberax 3 days ago | parent [-]

You can generate and store your private SSH key in the secure enclave, there's even an SSH agent that does that for you: https://github.com/maxgoedjen/secretive

But that's it.

Anything more complicated is not possible. You can't even upload your existing key into the SE.

▲

SXX 3 days ago | parent [-]

AFAIK "secretive" SSH agent is not actually running inside SEP when it using the keys. So when keys are actively used they are exposed in main OS RAM and only protected by macOS security model (so are safe unless there is jailbreak / actual root exploit).

So "secretive" and similar software is not as secure as let's say hardware token.

If I'm wrong please correct me, but when I researched the topic I come to this conclusion.

▲

cyberax 2 days ago | parent [-]

Ah, I see that Secretive is a victim of feature creep. I think it still can use the SE to store the private key, but it also has more ways to do it.

This is the initial inspiration for Secretive: https://github.com/sekey/sekey - it uses the SE to generate and store the actual private key, so it never leaves the machine. Hence its limitations.

	▲	SXX 9 hours ago \| parent [-]
		Again - I could be really wrong about Secretive. Sadly their documentation dont make it very clear and I myself don't have enough time to actually to go read the code and figure out how it works exactly.