Secure Enclave keyslots (macOS)
Bind a vault to your Mac's Secure Enclave. Optional Touch ID, fused SEP + FIDO2 or SEP + passphrase, hybrid SEP + post-quantum.
A Secure Enclave (SEP) keyslot binds the vault to the specific Mac where you enroll it. The slot's key agreement runs against a P-256 key that lives inside the machine's Secure Enclave; the private half never leaves the chip and cannot be exported, backed up, or migrated. The vault opens on that Mac; it does not open on any other machine, even with the same passphrase or FIDO2 device.
SEP keyslots shipped in v0.4.0 and require an Apple Silicon or
T2 Mac. The same .lbx file remains portable everywhere, only the
SEP slot is machine-bound. On Linux the equivalent binding is a
TPM 2.0 keyslot.
Derive, not wrap
Unlike a TPM, the Secure Enclave has no "seal arbitrary bytes"
primitive. Its building block is a non-extractable P-256 key, so
LUKSbox derives the wrap-KEK from an ECDH agreement against that
enclave-resident key (CryptoKit SecureEnclave.P256.KeyAgreement,
ECDH + HKDF). Three practical consequences:
- No keychain entry, no entitlements, no Apple developer
identity. The slot works from an unsigned CLI build; the notarized
.appbundle is a nicer GUI experience, not a requirement. - No external sidecar for the SEP material. The per-slot enclave
blob lives in a structured in-header region that is covered by the
header's HMAC, so a SEP vault is still a single
.lbxfile. The hybrid post-quantum kinds keep using the usual.kyberseed file for their ML-KEM half. - The KEK derivation mixes every present factor (enclave agreement, Argon2id passphrase, FIDO2 hmac-secret, ML-KEM shared secret) through one HKDF step, so fused kinds require all of their factors at every unlock.
When to use a SEP slot
| You want | Use |
|---|---|
| Unlock without typing anything on your own Mac | sep + a passphrase backup slot |
| A biometric gate on top of the machine binding | sep-biometric (Touch ID or account passcode) |
| Two-factor "must have YubiKey AND must be on this Mac" | sep-fido2 (single slot, both required) |
| Machine-bound plus something you can carry in your head | sep-passphrase |
| Post-quantum on top of the enclave binding | hybrid-pq-sep / hybrid-pq-sep1024 |
| All of the above | hybrid-pq-sep-fido2 / hybrid-pq-sep-passphrase (768 or 1024) |
Always pair a SEP slot with a backup slot. A SEP keyslot becomes permanently unrecoverable if:
- The Mac is erased ("Erase All Content and Settings", a DFU restore, or a macOS reinstall that wipes the enclave).
- The logic board is replaced.
- You move the vault to another machine, including via Migration Assistant: the enclave key is bound to the physical chip and does not transfer.
The CLI / GUI / wizard all surface a warning before creating a SEP-only vault.
Variants
| Slot kind | Inputs at unlock | CLI --kind |
|---|---|---|
SepSealed |
Secure Enclave only | sep |
SepSealedBiometric |
Secure Enclave + Touch ID or passcode | sep-biometric |
SepFido2 |
Secure Enclave + FIDO2 hmac-secret (fused) | sep-fido2 |
SepPassphrase |
Secure Enclave + Argon2id passphrase (fused) | sep-passphrase |
HybridPqKemSep |
Secure Enclave + ML-KEM-768 decap | hybrid-pq-sep |
HybridPqKem1024Sep |
Secure Enclave + ML-KEM-1024 decap | hybrid-pq-sep1024 |
HybridPqKemSepFido2 |
Enclave + FIDO2 + ML-KEM-768 | hybrid-pq-sep-fido2 |
HybridPqKem1024SepFido2 |
Enclave + FIDO2 + ML-KEM-1024 | hybrid-pq-sep-fido21024 |
HybridPqKemSepPassphrase |
Enclave + passphrase + ML-KEM-768 | hybrid-pq-sep-passphrase |
HybridPqKem1024SepPassphrase |
Enclave + passphrase + ML-KEM-1024 | hybrid-pq-sep-passphrase1024 |
A slot takes FIDO2 or a passphrase as its extra factor, never both: the second human factor is redundant, so the combined kinds are not user-selectable (vaults that already carry them still open).
luksbox info labels the slots as Secure Enclave and
Secure Enclave + Touch ID so you can tell which vaults are
machine-bound before trying them on another host.
Touch ID gating
sep-biometric asks macOS for user presence on every unlock: Touch
ID if the Mac has it, the account passcode otherwise. This works from
any interactive session, including a plain terminal running the
unsigned CLI. What it protects against is someone at your unlocked
desk mounting the vault without your finger; it does not change the
cryptography of the slot.
CLI, create a SEP-bound vault
# Plain Secure Enclave (no prompt at unlock)
luksbox create my.lbx --kind sep
# Secure Enclave + Touch ID / passcode prompt
luksbox create my.lbx --kind sep-biometric
# Fused Secure Enclave + FIDO2 (both required to unlock)
luksbox create my.lbx --kind sep-fido2
# Fused Secure Enclave + passphrase
luksbox create my.lbx --kind sep-passphrase
# Hybrid Secure Enclave + ML-KEM-768
luksbox create my.lbx --kind hybrid-pq-sep \
--pq-hybrid /Volumes/usb/my.kyber
# Strongest: enclave + FIDO2 + ML-KEM-1024
luksbox create my.lbx --kind hybrid-pq-sep-fido21024 \
--pq-hybrid /Volumes/usb/my.kyber
After create, the wizard / GUI offer to add a backup keyslot. The CLI emits the same warning and asks you to confirm. To enroll a backup later:
luksbox enroll my.lbx --kind passphrase
Deniable vaults can use the enclave too: the --credential flag
accepts sep, sep-fido2, pq-sep, and pq-sep-fido2.
TUI / GUI
The interactive wizard and the
GUI create flow expose every SEP variant through
the same factor-then-variant picker used for TPM slots. The GUI's
recent-vaults list shows a machine-binding badge, and unlocking a
sep-biometric slot pops the system Touch ID sheet.
The full design rationale (why derive instead of wrap, the in-header
region layout, the threat model) is in
docs/SEP_KEYSLOT_DESIGN.md.