Security●Mid
Credctl – Replace AWS access keys with Secure Enclave-bound credentials
Secure Enclave-bound AWS credentials could replace access keys if it works.
Ship It
matzhouse
203mo ago
Back to browse
Sod – Touch ID-Backed SSH Keys Using the Secure Enclave
by botanica_labs·Jun 30, 2026·1 point·0 comments
AI Analysis
●●●BangerWizardrySolve My Problem
Touch ID for SSH using Secure Enclave—keys can't be stolen even if disk is compromised.
Strengths
- •Unexportable keys in Secure Enclave prevent theft even with disk access
- •Zero server-side changes required, works with any OpenSSH server
- •Minimal Swift codebase with zero external dependencies
Weaknesses
- •macOS-only, no cross-platform support for Linux or Windows
- •Requires Apple hardware with Secure Enclave chip
Category
Target Audience
macOS developers and sysadmins using SSH
Similar To
macOS built-in ssh-agent · ssh-keygen
Post Description
Hi HN!
Showcasing sod - a minimal Secure Enclave harness for ssh keys.
sod generates an ecdsa-sha2-nistp256, unexportable key inside the Apple Secure Enclave.
It then orchestrates a barebones ssh-agent session which, in short - allows authenticating to OpenSSH servers the same way you would normally - but with your fingerprint instead of your password.
No special support required on the server side, this simply bridges typical ssh client behavior with Secure Enclave signing primitives.
sod is CLI-only, and "speaks" in typical OpenSSH verbs: ssh-keygen, ssh-add, ssh-agent.
sod is a lean codebase written in Swift - zero dependencies (outside of Swift's own). It does not implement any cryptography itself but rather delegates to macOS and OpenSSH crypto.
Quickstart: brew install botanica-consulting/tap/sod
sd install
ssh-copy-id -i ~/.ssh/id_sod.pub user@host
ssh user@host
Pre-built .pkg and the code for your perusal at: https://github.com/botanica-consulting/sodAny feedback is welcome!
-- sod is a FOSS project by https://botanica.software
Similar Projects
Security●●Solid
Keypo – Secure Enclave encrypted secrets for AI coding agents
Secure Enclave vault exec beats .env files for AI agent secret injection.
SlickNiche Gem
dhblumenfeld1
513mo ago
Security●●●Banger
Meow.gs – SSH to Dev Env with Touch ID / Face ID (Code on iPad)
WebAuthn passkeys replace SSH keys—Touch ID auth without managing key files.
Zero to OneWizardrySolve My Problem
darkbatman
313mo ago
Infrastructure●Mid
Using Tailscale with Apple's containerization stack
Userspace Tailscale networking for Apple containers avoids kernel TUN limitations securely.
Ship ItSolve My Problem
highpost
411mo ago
Security●●Solid
Envsh – Zero-knowledge secret sync using your SSH keys
Reuses existing SSH keys for encryption so you don't manage new credentials.
Big BrainSolve My Problem
sn0wflak3s
103mo ago
Security●●Solid
MakLock – Free macOS App Locker with Touch ID and Apple Watch
Free AppLocker alternative with Apple Watch unlock and full-screen overlay.
Solve My ProblemCozy
makmakapps
104mo ago