secretive

Secretive is a Mac application that stores and manages SSH keys using the Secure Enclave, a dedicated security chip built into modern Apple computers. SSH keys are credentials that prove your identity when connecting to remote servers, cloud services, or code hosting platforms. By default, most people store these keys as files on their hard drive, which works fine but leaves them vulnerable if someone gains access to the machine. Secretive moves them somewhere that cannot be read or copied, even by the operating system itself.

The Secure Enclave is a small, isolated processor inside your Mac that handles cryptographic operations and never lets private key material leave its protected memory. When Secretive signs an SSH request, the raw key never touches the main CPU or storage. An attacker who steals your disk image or installs malware gets nothing useful. The app also supports Touch ID and Apple Watch as authentication gates, so each SSH connection requires a physical confirmation from you before it goes through.

Whenever your keys are used, Secretive sends a notification so you know in real time that a connection was made. This makes unexpected or unauthorized attempts visible rather than silent. For older Macs without a Secure Enclave, the app supports Smart Cards such as a YubiKey as an alternative hardware-backed signing device.

Installing the app is straightforward: download it from the releases page or install it with Homebrew using a single terminal command. Because the Secure Enclave physically prevents key export, there is one meaningful trade-off to understand upfront. Keys stored this way cannot be backed up and cannot be moved to a new Mac. When you replace your machine, you generate a new key and register it with the services you use.

The project is written in Swift, is open source, and its release builds are produced by GitHub Actions with publicly auditable attestation records, so you can verify the build process matches the source code.