adding keys to secure enclave

[rakesh1988]

does it make sense to add support for storing keys into secure enclave on new macbook pro's? I will be more than happy to add this feature with some guidance. Thanks

[shiftkey]

I'm curious about how this will look, but I worry about adding APIs that are only supported on platform:

• we don't have an equivalent concept for Windows or Linux, so what happens if those users try and call that API?
• what about on macOS environments where the secure enclave isn't available?

[rajivshah3]

Is this actually possible? From what I read from the documentation it seems like you can't store existing keys in the Secure Enclave. You'd have to generate a new one inside it and sign/encrypt with the APIs exposed from the Secure Enclave

Can’t import preexisting keys. You must create keys directly inside the Secure Enclave. Not having a mechanism to transfer key data into or out of the Secure Enclave is fundamental to its security.

I wish this wasn't the case because I would also be happy to add keys created in my app to the Secure Enclave instead of the normal keychain

Regarding these two questions, though:

• we don't have an equivalent concept for Windows or Linux, so what happens if those users try and call that API?

You could make the API a no-op on other platforms, or if a user tries to call it on another platform an error would be thrown

• what about on macOS environments where the secure enclave isn't available?

This is a bit of a problem since there's no API to check this (for some reason). One option is to try creating a key and handle error code -4 (no Secure Element) accordingly. Another solution checks if the device supports biometrics (Touch ID/Face ID) and if the device is a simulator, since all Apple device that have biometrics currently also have a Secure Element.

[sk91]

would be great if this feature is supported by node-keytar, here is some work from keeweb regarding it:

https://github.com/antelle/node-secure-enclave