OpenSec Atlas

secretive: An Open Source Tool for Identity & Access Management (IAM) | OpenSec Atlas

Back to Browse

Identity & Access Management (IAM)

Tool

secretive

Secretive securely stores and manages SSH keys in the Mac Secure Enclave, enhancing protection and access control.

View on GitHub

About This Tool

Store SSH keys in the Secure Enclave

Primary Use Case

This tool is designed for Mac users who want to protect their SSH private keys by storing them in the Secure Enclave, preventing export and unauthorized copying. It is ideal for developers and security-conscious users seeking strong authentication controls like Touch ID or Apple Watch integration for SSH key access.

Key Features

Stores SSH keys securely in the Secure Enclave, making them non-exportable
Supports strong access controls such as Touch ID and Apple Watch authentication
Notifies users whenever SSH keys are accessed
Includes a native macOS management app written in Swift with no external dependencies
Supports Smart Card (e.g., YubiKey) signing for Macs without Secure Enclave
Auditable build process via GitHub Actions with SHA checksum verification

Insights & Recommendations

Because keys stored in the Secure Enclave are non-exportable, backups and transfers to new machines are not possible; users must generate new keys on each Mac. Consistent use of the same bundle ID is required when building from source to ensure Keychain access to stored keys. Users should configure access controls like Touch ID to maximize security benefits.

Installation

Download the latest release from the Releases Page on GitHub
Alternatively, install via Homebrew using: brew install secretive

Usage

brew install secretive

Installs Secretive using Homebrew package manager on macOS

Smart Usage Notes

Integrate Secretive with enterprise Mac management solutions to enforce hardware-backed key storage policies.Use Secretive's notification feature to trigger alerts in SIEM systems for anomalous SSH key access.Combine with Smart Card (YubiKey) deployments for environments with mixed hardware capabilities.Leverage the auditable build process to ensure supply chain integrity in security-sensitive deployments.Incorporate Secretive into developer onboarding workflows to enforce strong SSH key management practices.