Secure Enclave

The Secure Enclave is a hardware-based key manager that’s isolated from the main processor to provide an extra layer of security. When you store a private key in the Secure Enclave, you never actually handle the key, making it difficult for the key to become compromised. Instead, you instruct the Secure Enclave to create the key, securely store it, and perform operations with it. You receive only the output of these operations, such as encrypted data or a cryptographic signature verification outcome. (c) Apple’s documentation for developers

Termius for iOS allows you to generate a key inside the Secure Enclave Processor and use it for SSH connections. A SEP key can't be directly accessed by Termius or iOS. Thus, SEP keys are not synchronized (even across iOS devices).

Before generating a SEP key, you must protect your device with a passcode, TouchID / FaceID. You’ll be asked to authenticate with one of these methods during a connection. Successful authentication with one of these methods allows you to access the key.

Generating and using a SEP key for authentication

Once you change a passcode, all previously generated SEP keys stop working.

Secure Enclave is available on iPhone 5s and iPad Air or later models of these devices.

Like other kinds of keys, SEP keys can be used for agent forwarding.

Generate a SEP Key

  1. Navigate to the Keychain screen.

  2. Tap + and then Generate Secure Enclave Key.

  3. Specify the parameters of the key. Add a passphrase, if desired, and check Save passphrase so as not to be asked for it every time upon connection.

  4. Tap Save / . If your device isn’t protected with a passcode, TouchID, or FaceID, you’ll see an error message.

Export a SEP Key to a Host

As with other kinds of keys, you can export a SEP key to a host. That is you can add its public part to the authorized_keys file, which is stored on the server, right from the app (if it's an OpenSSH server).

  1. Navigate to the Keychain screen.

  2. Tap and hold the required key.

  3. Choose Share and then Export to Host.

  4. Tap the required host and then Export.