Secure Enclave

The Secure Enclave is a hardware-based key manager that’s isolated from the main processor to provide an extra layer of security. When you store a private key in the Secure Enclave, you never actually handle the key, making it difficult for the key to become compromised. Instead, you instruct the Secure Enclave to create the key, securely store it, and perform operations with it. You receive only the output of these operations, such as encrypted data or a cryptographic signature verification outcome. (c) Apple Docs

In the Termius iOS app, the SEP feature is an ability to generate a private key using iOS Keychain API, store this key inside the SEP, and use it for SSH connections.

Limitations and Capabilities

Secure Enclave is available on devices with Apple A7 processor and newer (iPhone 5S and newer, iPad mini 2 and newer).

To use SEP in Termius for iOS, you need to protect the device with system passcode and optionally Touch ID / Face ID.

SEP Keys are not synchronizable even across iOS devices. Once you change the passcode on the device, all the previously created SEP Keys will stop working!

Creating a key

The overall usage of SEP keys is very similar to the usual SSH keys.

To create a SEP key, go to the Keychain Screen, press '+' button, and select 'Secure Enclave Key'.

The only editable field is the Key Name. Enter a name and press 'Generate' to proceed.

In case if there is no system passcode set up, the error alert will be shown.

Exporting SEP keys

You only can access the public part of a SEP key.

As well as other keys in the app, it can be manually copied, sent by email, or exported to the host directly.

Using SEP keys

You set up SEP keys for SSH authentication the same way you set up other SSH keys: by selecting such key in the host's settings.

What will change is the way you connect: during the authentication step you will be prompted for passcode/TouchID/FaceID. Without it, the SEP key couldn't be used.

Agent Forwarding

SEP keys work with the SSH agent as well as other SSH keys.

Similar to regular connections, you will be prompted for passcode/TouchID/FaceID to be able to authenticate with the key.