/ Documentation / Keyslots / Secure Enclave keyslots (macOS)

Secure Enclave keyslots (macOS)

Bind a vault to your Mac's Secure Enclave. Optional Touch ID, fused SEP + FIDO2 or SEP + passphrase, hybrid SEP + post-quantum.

A Secure Enclave (SEP) keyslot binds the vault to the specific Mac where you enroll it. The slot's key agreement runs against a P-256 key that lives inside the machine's Secure Enclave; the private half never leaves the chip and cannot be exported, backed up, or migrated. The vault opens on that Mac; it does not open on any other machine, even with the same passphrase or FIDO2 device.

SEP keyslots shipped in v0.4.0 and require an Apple Silicon or T2 Mac. The same .lbx file remains portable everywhere, only the SEP slot is machine-bound. On Linux the equivalent binding is a TPM 2.0 keyslot.

Derive, not wrap

Unlike a TPM, the Secure Enclave has no "seal arbitrary bytes" primitive. Its building block is a non-extractable P-256 key, so LUKSbox derives the wrap-KEK from an ECDH agreement against that enclave-resident key (CryptoKit SecureEnclave.P256.KeyAgreement, ECDH + HKDF). Three practical consequences:

When to use a SEP slot

You want Use
Unlock without typing anything on your own Mac sep + a passphrase backup slot
A biometric gate on top of the machine binding sep-biometric (Touch ID or account passcode)
Two-factor "must have YubiKey AND must be on this Mac" sep-fido2 (single slot, both required)
Machine-bound plus something you can carry in your head sep-passphrase
Post-quantum on top of the enclave binding hybrid-pq-sep / hybrid-pq-sep1024
All of the above hybrid-pq-sep-fido2 / hybrid-pq-sep-passphrase (768 or 1024)

Always pair a SEP slot with a backup slot. A SEP keyslot becomes permanently unrecoverable if:

The CLI / GUI / wizard all surface a warning before creating a SEP-only vault.

Variants

Slot kind Inputs at unlock CLI --kind
SepSealed Secure Enclave only sep
SepSealedBiometric Secure Enclave + Touch ID or passcode sep-biometric
SepFido2 Secure Enclave + FIDO2 hmac-secret (fused) sep-fido2
SepPassphrase Secure Enclave + Argon2id passphrase (fused) sep-passphrase
HybridPqKemSep Secure Enclave + ML-KEM-768 decap hybrid-pq-sep
HybridPqKem1024Sep Secure Enclave + ML-KEM-1024 decap hybrid-pq-sep1024
HybridPqKemSepFido2 Enclave + FIDO2 + ML-KEM-768 hybrid-pq-sep-fido2
HybridPqKem1024SepFido2 Enclave + FIDO2 + ML-KEM-1024 hybrid-pq-sep-fido21024
HybridPqKemSepPassphrase Enclave + passphrase + ML-KEM-768 hybrid-pq-sep-passphrase
HybridPqKem1024SepPassphrase Enclave + passphrase + ML-KEM-1024 hybrid-pq-sep-passphrase1024

A slot takes FIDO2 or a passphrase as its extra factor, never both: the second human factor is redundant, so the combined kinds are not user-selectable (vaults that already carry them still open).

luksbox info labels the slots as Secure Enclave and Secure Enclave + Touch ID so you can tell which vaults are machine-bound before trying them on another host.

Touch ID gating

sep-biometric asks macOS for user presence on every unlock: Touch ID if the Mac has it, the account passcode otherwise. This works from any interactive session, including a plain terminal running the unsigned CLI. What it protects against is someone at your unlocked desk mounting the vault without your finger; it does not change the cryptography of the slot.

CLI, create a SEP-bound vault

# Plain Secure Enclave (no prompt at unlock)
luksbox create my.lbx --kind sep

# Secure Enclave + Touch ID / passcode prompt
luksbox create my.lbx --kind sep-biometric

# Fused Secure Enclave + FIDO2 (both required to unlock)
luksbox create my.lbx --kind sep-fido2

# Fused Secure Enclave + passphrase
luksbox create my.lbx --kind sep-passphrase

# Hybrid Secure Enclave + ML-KEM-768
luksbox create my.lbx --kind hybrid-pq-sep \
    --pq-hybrid /Volumes/usb/my.kyber

# Strongest: enclave + FIDO2 + ML-KEM-1024
luksbox create my.lbx --kind hybrid-pq-sep-fido21024 \
    --pq-hybrid /Volumes/usb/my.kyber

After create, the wizard / GUI offer to add a backup keyslot. The CLI emits the same warning and asks you to confirm. To enroll a backup later:

luksbox enroll my.lbx --kind passphrase

Deniable vaults can use the enclave too: the --credential flag accepts sep, sep-fido2, pq-sep, and pq-sep-fido2.

TUI / GUI

The interactive wizard and the GUI create flow expose every SEP variant through the same factor-then-variant picker used for TPM slots. The GUI's recent-vaults list shows a machine-binding badge, and unlocking a sep-biometric slot pops the system Touch ID sheet.

The full design rationale (why derive instead of wrap, the in-header region layout, the threat model) is in docs/SEP_KEYSLOT_DESIGN.md.