# maxgoedjen/secretive

**Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/maxgoedjen-secretive).**

8,162 stars · 191 forks · Swift · mit

## Links

- GitHub: https://github.com/maxgoedjen/secretive
- Homepage: https://secretive.dev
- awesome-repositories: https://awesome-repositories.com/repository/maxgoedjen-secretive.md

## Topics

`mac` `secure-enclave` `security` `ssh`

## Description

Secretive is an SSH key manager that utilizes hardware-backed security modules to generate and store non-exportable private keys. It integrates with secure enclaves to ensure that sensitive cryptographic material remains within the hardware and cannot be exported from the device.

The system implements a biometric authentication workflow, requiring fingerprint or wearable verification before a private key is released for signing operations. It also provides the ability to bridge signing requests to external hardware tokens for systems that lack a built-in secure enclave.

The project includes utilities for managing public key metadata, mapping keys to local files, and monitoring key usage through event-based access notifications. It further provides configuration options to integrate these hardware-backed authentication capabilities with external applications.

## Tags

### Security & Cryptography

- [Hardware Security Module Integrations](https://awesome-repositories.com/f/security-cryptography/hardware-security-module-integrations.md) — Integrates with secure enclaves to store private keys in hardware-backed security modules.
- [Secure Enclaves](https://awesome-repositories.com/f/security-cryptography/hardware-security-module-integrations/secure-enclaves.md) — Implements non-exportable SSH key storage using hardware-backed secure enclaves to prevent private key extraction. ([source](https://cdn.jsdelivr.net/gh/maxgoedjen/secretive@main/README.md))
- [Biometric Authentication](https://awesome-repositories.com/f/security-cryptography/biometric-authentication.md) — Requires biometric verification before allowing a private key to be used for signing operations.
- [Biometric Unlocking](https://awesome-repositories.com/f/security-cryptography/credential-vaults/biometric-unlocking.md) — Implements hardware-backed biometric verification to grant access to private signing keys.
- [Cryptographic Key Generation](https://awesome-repositories.com/f/security-cryptography/cryptographic-key-management/cryptographic-key-generation.md) — Generates cryptographic keys directly inside a secure enclave so private material never leaves the hardware.
- [Hardware-Internal Key Generation](https://awesome-repositories.com/f/security-cryptography/cryptographic-key-management/cryptographic-key-generation/hardware-internal-key-generation.md) — Enables the creation of private keys within a hardware security module to prevent sensitive material from being exported. ([source](https://secretive.dev))
- [Identity & Key Management](https://awesome-repositories.com/f/security-cryptography/identity-key-management.md) — Generates and stores private keys within a hardware-backed secure enclave to prevent unauthorized export.
- [Hardware-Backed Key Storage](https://awesome-repositories.com/f/security-cryptography/key-management/hardware-backed-key-storage.md) — Stores and manages private keys within a hardware security module to prevent unauthorized export.
- [SSH Key Management](https://awesome-repositories.com/f/security-cryptography/ssh-key-management.md) — Provides hardware-backed storage and access monitoring for SSH private keys.
- [Hardware Security Module Integrations](https://awesome-repositories.com/f/security-cryptography/asymmetric-signing/signed-jwt-generation/hardware-security-module-integrations.md) — Integrates with external hardware tokens for performing cryptographic signing operations.
- [Hardware Token Bridging](https://awesome-repositories.com/f/security-cryptography/security-token-management/hardware-token-bridging.md) — Routes signing requests to external security tokens for systems without a built-in secure enclave.

### Networking & Communication

- [Security Access Alerts](https://awesome-repositories.com/f/networking-communication/event-notifications/security-access-alerts.md) — Triggers real-time alerts whenever the secure enclave is accessed to monitor key usage.

### System Administration & Monitoring

- [Credential Access Monitoring](https://awesome-repositories.com/f/system-administration-monitoring/activity-monitors/credential-access-monitoring.md) — Tracks and logs interactions with private keys to notify users of all authentication attempts. ([source](https://cdn.jsdelivr.net/gh/maxgoedjen/secretive@main/README.md))