Secure Enclave encrypted custom data

[netwarex]

It would great if this tool can be more generic, like storing any data encrypted with the created keys.

An example: https://github.com/ssh-vault/ssh-vault, with these it seems I can achieve my goal (no, it does not supports ssh agent).

But here is another possibility: https://github.com/agens-no/EllipticCurveKeyPair

[maxgoedjen]

@netwarex basically we're pretty limited in terms what of what we can store in the SEP (basically, p256 ECDSA keypairs).

You could, I think, theoretically have the app responsible for storing a keypair that's used to encrypt files that are stored otherwise on disk – but I think that's a bit outside the scope of this project (I wouldn't rule out a spinoff though). Fundamentally this is not all that different from the built in macOS encryption model though – I'm not sure there'd be that much more benefit beyond just adding an additional layer.

[netwarex]

Okay, I'm not that deep into the currently implementation, however my goal is to unlock some secrets the same way as the SSH authentication get done.

Like I would like to securely store API Key/Master Password/Sessions and unlock them when it's needed with Touch ID or Apple Watch without typing them in.

Would you think this is really out of scope of this project?

[m4rkw]

I'd also like this feature - i.e. ability to encrypt/decrypt with the stored keys, and optionally require the touchID press in order to execute.

[maxgoedjen]

Just a few more idle thoughts about the possibility of doing this:

• The lack of portability seems like it'd be a huge problem with this. Basically your encrypted data is tied to one device with no means of backup. If you move to a new machine, you'd have to decrypt all of the data encrypted with that key set, and reencrypt it with the new keys.
• In the event of a device dying/being stolen, you're really screwed.
• This realllllly expands the data-loss potential of this project. With SSH keys, it's not a huge concern – you can have multiple keys added to a service/machine you want to shell into, it's trivial to add new ones/rotate out old ones. With encrypted data, that's really not the case. I really don't want to be responsible for anyone losing access to their data :/

Still not ruling anything out, but just hoping to give a bit more context as to why I'm nervous about enabling a use case like this.

[m4rkw]

Hi @maxgoedjen indeed, loss of the device is a real concern. I've switched to using yubikeys for ssh now rather than secretive because then the keys are movable between devices.

With regards to general encryption I've actually found other means to do what I wanted to do and don't really care about this feature anymore, partially because of that issue. I guess the only mitigation possible would be to make a second backup of the data encrypted with a key outside of the TPM.

[maxgoedjen]

Yep, YubiKeys are great for that (FYI: Secretive actually supports SSH credentials stored on YubiKeys as well, if you feel like using that as an easier interface).