If you use SSH keys on a Mac, there’s a great tool that helps protect them better. The tool is called Secretive. It is free and open source. It uses the Secure Enclave, which is a special security chip built into most modern Macs. With Secretive, your SSH private keys stay inside this chip. They never appear on your hard drive. This means malware or hackers cannot copy them.

In this blog post, you will learn:

• What Secretive is

• How it works

• How to install and set it up

• Why is it safer

• Some limitations to keep in mind

What Is Secretive?

Secretive is a macOS app that creates and stores SSH keys in the Secure Enclave. This chip is built into your Mac and helps protect sensitive data. When you use Secretive, your private key never leaves the Secure Enclave. You can still connect to servers and use Git, but your private key stays safe inside your computer.

Key Features

• Keys never leave your Mac: The private part of your SSH key is kept in the Secure Enclave. No one can copy it.

• Biometric Security: You can use Touch ID or your Apple Watch to approve key usage.

• Alerts: You get a notification every time your key is used.

• Easy to Use: Secretive works with tools like Git and SSH automatically.

How to Install and Use Secretive

1. Install with Homebrew:

brew install --cask secretive

1. Or download it from GitHub and open the app.

2. Set up the SSH agent:
   In the Secretive app, follow the instructions to set up the SSH agent. If needed, add this to your SSH config:

Host *
  IdentityAgent ~/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh

1. Create a New Key:

   • Open the Secretive app

   • Click the + button

   • Name your key (for example, “GitHub”)

   • Choose if you want to use Touch ID each time

   • Click Create

2. Use the Public Key:

   • Copy the public key from Secretive

   • Add it to your server or GitHub account

3. Use SSH or Git:

   • Try connecting to a server:

ssh user@server.com

1. • Or try a Git command:

git pull

1. You may be asked to use Touch ID or approve with your Apple Watch.

Using Secretive to Sign Git Commits

You can also use Secretive to sign Git commits.

1. Enable SSH signing in Git:

git config --global commit.gpgSign true
git config --global gpg.format ssh

1. Find the public key file path in Secretive and set it in Git:

git config --global user.signingKey /path/to/your/key.pub

Now your commits will be signed and verified by GitHub.

Pros of Using Secretive

• Strong protection: keys are safe in hardware

• Easy to use: simple interface

• Works with Git and SSH

• No need for USB tokens

• Free and open-source

Things to Know (Limitations)

• Only ECDSA keys: It does not support RSA or Ed25519

• Cannot import keys: You must make a new key in Secretive

• No backup: If you lose your Mac, the key is gone

• Only works on macOS with a Secure Enclave

• Does not sync across devices: You need to create new keys on each Mac

Secretive is a strong tool for keeping your SSH keys safe. It uses your Mac’s hardware to make sure no one can steal your private key. It is simple, useful, and free. If you use SSH or Git on a Mac, Secretive is a smart upgrade.