explaingit

maxgoedjen/secretive

8,516SwiftAudience · developerComplexity · 2/5Setup · easy

TLDR

A Mac app that stores SSH keys inside the Secure Enclave chip so they can never be copied or stolen, even by malware. Supports Touch ID and Apple Watch to confirm each connection.

Mindmap

mindmap
  root((secretive))
    What it does
      Secures SSH keys
      Touch ID auth
      Usage alerts
    Security
      Secure Enclave chip
      No key export
      Apple Watch gate
    Compatibility
      YubiKey support
      Older Mac fallback
    Setup
      Homebrew install
      GitHub Actions build
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Store SSH keys for GitHub, AWS, or remote servers in the Mac's Secure Enclave so they cannot be exported or stolen.

USE CASE 2

Get a real-time notification every time your SSH key is used, so unauthorized attempts are visible immediately.

USE CASE 3

Use Touch ID or Apple Watch as a physical confirmation gate before any SSH connection goes through.

USE CASE 4

Connect a YubiKey as a hardware SSH key manager on older Macs that do not have a Secure Enclave.

Tech stack

SwiftGitHub ActionsSecure EnclaveTouch ID

Getting it running

Difficulty · easy Time to first run · 30min

Keys stored in the Secure Enclave cannot be backed up or moved to a new Mac, you must generate a new key when replacing your machine.

Open source, specific license terms are not named in the explanation.

In plain English

Secretive is a Mac application that stores and manages SSH keys using the Secure Enclave, a dedicated security chip built into modern Apple computers. SSH keys are credentials that prove your identity when connecting to remote servers, cloud services, or code hosting platforms. By default, most people store these keys as files on their hard drive, which works fine but leaves them vulnerable if someone gains access to the machine. Secretive moves them somewhere that cannot be read or copied, even by the operating system itself. The Secure Enclave is a small, isolated processor inside your Mac that handles cryptographic operations and never lets private key material leave its protected memory. When Secretive signs an SSH request, the raw key never touches the main CPU or storage. An attacker who steals your disk image or installs malware gets nothing useful. The app also supports Touch ID and Apple Watch as authentication gates, so each SSH connection requires a physical confirmation from you before it goes through. Whenever your keys are used, Secretive sends a notification so you know in real time that a connection was made. This makes unexpected or unauthorized attempts visible rather than silent. For older Macs without a Secure Enclave, the app supports Smart Cards such as a YubiKey as an alternative hardware-backed signing device. Installing the app is straightforward: download it from the releases page or install it with Homebrew using a single terminal command. Because the Secure Enclave physically prevents key export, there is one meaningful trade-off to understand upfront. Keys stored this way cannot be backed up and cannot be moved to a new Mac. When you replace your machine, you generate a new key and register it with the services you use. The project is written in Swift, is open source, and its release builds are produced by GitHub Actions with publicly auditable attestation records, so you can verify the build process matches the source code.

Copy-paste prompts

Prompt 1
How do I configure my SSH config file on macOS to use the Secretive agent socket for all connections?
Prompt 2
Write a shell script that reads my Secretive public key and adds it to a remote server's authorized_keys file over SSH.
Prompt 3
How do I register the public key generated by Secretive with GitHub so I can push and pull over SSH?
Prompt 4
How do I set up Secretive to require Touch ID confirmation before every SSH connection, and test that it works?
Prompt 5
What is the difference between storing SSH keys in Secretive versus the macOS Keychain, and why does Secure Enclave matter?
Open on GitHub → Explain another repo

← maxgoedjen on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.