Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?


Failed to load latest commit information.
Latest commit message
Commit time


Build Status MIT Licensed



SeKey is a SSH Agent that allow users to authenticate to UNIX/Linux SSH servers using the Secure Enclave

How it Works?

The Secure Enclave is a hardware-based key manager that’s isolated from the main processor to provide an extra layer of security. When you store a private key in the Secure Enclave, you never actually handle the key, making it difficult for the key to become compromised. Instead, you instruct the Secure Enclave to create the key, securely store it, and perform operations with it. You receive only the output of these operations, such as encrypted data or a cryptographic signature verification outcome.


  • Only support MacBook Pro with the Touch Bar and Touch ID
  • Can’t import preexisting key
  • Stores only 256-bit elliptic curve private key



Unfortunately, I can't make a Homebrew formula because KeyChain API requires entitlements, so the binary has to be signed to work, still you can use Homebrew Cask

Homebrew Cask

  1. Install Sekey
brew cask install sekey
  1. Append the following line to your ~/.bash_profile or ~/.zshrc
export SSH_AUTH_SOCK=$HOME/.sekey/ssh-agent.ssh


  1. Add the following line you your ~/.ssh/config or /etc/ssh/ssh_config
IdentityAgent ~/.sekey/ssh-agent.ssh

Pkg Installer

  1. Go to Releases and download the pkg release
  2. Install the application using the pkg.
  3. Set enviroment variables and fix the path of sekey folder.
export PATH=$PATH:/Applications/
export SSH_AUTH_SOCK=$HOME/.sekey/ssh-agent.ssh

Manual Installation

  1. Go to Releases and download the zip release
  2. Place the App in the Applications folder.
  3. Go to ~/Library/LaunchAgents
  4. Create the file com.ntrippar.sekey.plist
  5. Paste the following into the file and fix the path of the sekey binary:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">
  1. Fix permissions
chown youruser:staff /absolute/path/to/
  1. Load the agent to the user account:
launchctl load -F ~/Library/LaunchAgents/com.ntrippar.sekey.plist
  1. Set enviroment variables and fix the path of sekey folder.
export PATH=$PATH:/path/to/
export SSH_AUTH_SOCK=$HOME/.sekey/ssh-agent.ssh


For the help menu:

ntrippar@macbookpro:~% sekey -h
SeKey 1.0
Nicolas Trippar <>
Use Secure Enclave for SSH Authentication

    sekey [FLAGS] [OPTIONS]

        --daemon       Run the daemon
    -h, --help         Prints help information
        --list-keys    List all keys
    -V, --version      Prints version information

        --delete-keypair <ID>         Deltes the keypair
        --export-key <ID>             export key to OpenSSH Format
        --generate-keypair <LABEL>    Generate a key inside the Secure Enclave


Create KeyPair inside the Secure Enclave:

ntrippar@macbookpro:~% sekey --generate-keypair "Github Key"
Keypair Github Key sucessfully generated

List keys in the secure enclave:

ntrippar@macbookpro:~% sekey --list-keys

│       Label        │                        ID                        │
│     Github Key     │     d179eb4c2d6a242de64e82240b8b6e611cf0d729     │

Export public key to OpenSSH format:

ntrippar@macbookpro:~% sekey --export-key d179eb4c2d6a242de64e82240b8b6e611cf0d729
ecdsa-sha2-nistp25 AAAAEmVjZHNhLXNoYTItbmlzdHAyNQAAAAhuaXN0cDI1NgAAAEEE8HM7SBdu3yOYkmF0Wnj/q8t2NJC6JYJWZ4IyvkOVIeUs6mi4B424bAjhZ4Awgk5ax9r25RB3Q8tL2/7J/3xchQ==

Delete Keypair:

ntrippar@macbookpro:~% sekey --delete-keypair d179eb4c2d6a242de64e82240b8b6e611cf0d729
Key d179eb4c2d6a242de64e82240b8b6e611cf0d729 sucessfully deleted

Use key for a specific host:

  1. export the public key from sekey and save it to a file
ntrippar@macbookpro:~% sekey --export-key d179eb4c2d6a242de64e82240b8b6e611cf0d729 > ~/.ssh/
  1. on the ssh config file located in ~/.ssh/config we should add a entry so the ssh only query that key for the given host
    IdentityFile ~/.ssh/
    IdentitiesOnly yes

How to Build


Sekey is built with Cargo, the Rust package manager.

git clone
cd sekey
cargo build --release


SeKey utilizes the KeyChain API on MacOS, for using it the app needs to be signed and have the correct entitlements.

You need to change the sign parameter to match your own signing key

Listing keys

security find-identity -v -p codesigning


codesign --force --identifier "com.ntrippar.sekey" --sign "Developer ID Application: Nicolas Trippar (5E8NNEEMLP)" --entitlements ./assets/sekey.entitlements --timestamp=none ./bundle/


cp ./target/release/sekey ./bundle/Applications/

if needed to create a pkg installer

pkgbuild --analyze --root ./bundle/ SeKey.plist

pkgbuild --sign "Developer ID Installer: Nicolas Trippar (5E8NNEEMLP)" --identifier com.ntrippar.sekey --root ./bundle/ --scripts ./install-scripts --component-plist ./Sekey.plist ./sekey.pkg


Members of the open-source community are encouraged to submit pull requests directly through GitHub.