Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
arianvanp an hour ago

Check out `man sc_auth`. There's also an exportable variant where the private key is encrypted using the secure enclave as opposed to generated on the secure enclave:

    % sc_auth create-ctk-identity -l ssh-exportable -k p-256 -t bio
    % sc_auth list-ctk-identities
    p-256    A581E5404ED157C4C73FFDBDFC1339E0D873FCAE bio  ssh-exportable ssh-exportable               23.11.26, 19:50 YES  
    % sc_auth export-ctk-identity -h A581E5404ED157C4C73FFDBDFC1339E0D873FCAE -f ssh-exportable.pem
    Enter a password which will be used to protect the exported items:
    Verify password:
You can then re-import it on another device

    % sc_auth import-ctk-identities -f ssh-exportable.pem.p12 -t bio
    Enter PKCS12 file password:
I'll add this to the guide
rjdj377dhabsn 34 minutes ago | parent | next [-]

How is this method any different from encrypting the private key without any secure enclave?

Isn't it just using a password derived key?

arianvanp 23 minutes ago | parent [-]

The key is stored encrypted with a unique symmetric key that only your secure enclave knows until the point that you export it. It then re-encrypts it with the password.

Until you export it it's just as strong as an enclave-generated one.

Obviously don't keep the exported password encrypted key around and don't use a weak password for export.

gruez 20 minutes ago | parent | next [-]

>The key is stored encrypted with a unique symmetric key that only your secure enclave knows until the point that you export it. It then re-encrypts it with the password.

But what's the security benefit of this compared to having a keyfile? So far as I can tell from the commands you provided, there's no real difference, aside from a hacker having to modify their stealer script slightly.

arianvanp 11 minutes ago | parent [-]

Why is it more secure: a key file on disk is decrypted into memory every time you enter your passphrase. It means the key is around in plain text in the memory of ssh or ssh-agent. Which means it's extractable by an attacker. An exportable key does all the signing inside the secure enclave and never exposes the decrypted key to OS memory.

The exported key you can keep in a safe for disaster recovery. You shouldn't keep it on your computer of course.

14 minutes ago | parent | prev [-]
[deleted]
sroussey 34 minutes ago | parent | prev [-]

“ This is might be considered secure but is convenient for key backup.”

Might want to clean up that sentence.