Ive come to discover recently that apple does not let you store secrets in the secure enclave. Its off limits to the owner/user of the device and meant for storing apple secrets….
So then wallets on ios/macos are sitting on the drive, encrypted by the OS? This really bothers me a LOT. They’re unwrapped for use and exposed in RAM instead of inside the secure enclave. Why would anyone in their right mind want to use these devices with crypto in mind?
If you got rootkitted its game over but windows TPM 2.0 and android strongbox/titan allow users to store secrets in the vault. A rootkit can’t get in the vault. But with apple, kernel access means the ability to unwrap your secrets that were out on the front sidewalk anyway and not inside the house and in the safe where they belong.
What in the world is this? Its really bothering me.
I don’t understand you concern. My ssh secret key is stored in secure enclave. All my passkeys are stored in secure enclave. If anything, we just need to have more apps support passkey.
Hey Brian, the concern is that Apple doesn’t let third party apps generate keys inside the Secure Enclave. What you’re describing is Apple managing keys on your behalf through their own APIs. That’s a different thing.
For a trustless proof-of-personhood primitive, I need users to generate sovereign keypairs in hardware that nobody can extract, including Apple. Android StrongBox gives developers that. So does Windows hardware, even if running Linux. Apple doesn’t.
Passkeys authenticate you to a service. They can’t sign arbitrary payloads with a user-sovereign private key. Those are different things and the distinction matters for what I’m building.