SSH Key Manager
Generate, copy, and delete the Secure Enclave SSH key on this iPhone.
Where it lives
vmuxPhone manages a single device key — an SSH key whose private half lives in the iPhone's Secure Enclave hardware. The key manager is on the host list under Security → Device Key. Tap the row to open the Device Key screen.
This key is the basis for Device Key authentication on saved hosts. When a host is configured to use Device Key, vmuxPhone signs the SSH challenge with this key and asks for Face ID once per signing operation. The private key never leaves the Secure Enclave; iOS does not provide an API to extract it, even with biometric approval.
Status block
The top of the screen shows one of two states:
| Status | Meaning |
|---|---|
| Device key is ready with a green seal | A Secure Enclave key exists on this iPhone and is usable. |
| No device key yet with a gray slash icon | No key has been generated yet. Device Key authentication will not work until you create one. |
Below the status, a footnote reminds you: The SSH private key stays on this iPhone and never leaves Secure Enclave.
Generate a key
Tap the prominent action button. Its label changes based on whether a key already exists:
- Generate Device Key — creates a new P-256 key inside the Secure Enclave, marked for SSH signing. iOS may show a Face ID prompt to authorize key creation. The new key's public half appears in the Public Key section as soon as creation succeeds.
- Refresh Key — re-reads the existing key's public half. Use this if the Public Key section is empty after a restore or a freshly installed build.
Generating a key for the first time is fast — typically under a second on modern iPhones. The status block flips to Device key is ready and the Public Key section appears.
View and copy the public key
Once a key exists, the Public Key section shows the OpenSSH-format public key in a monospace font. The full line is selectable — long-press to use the system selection menu — and a Copy Public Key button copies the entire line to the clipboard with one tap.
The public key is safe to share. It is the line you paste into ~/.ssh/authorized_keys on the server you want to authenticate to. The format looks like this:
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAAB...= vmux@iPhoneDifferent iPhones produce different public keys. There is one Secure Enclave key per device.
Authorize the key on a remote host
The standard pattern:
- Tap Copy Public Key on this screen.
- Open a session to the target host using password auth (or any other working method).
- Append the key to
~/.ssh/authorized_keys. The conservative way:
mkdir -p ~/.ssh
chmod 700 ~/.ssh
cat >> ~/.ssh/authorized_keysPaste, hit Return, then Ctrl+D to terminate the input. Verify with tail ~/.ssh/authorized_keys.
- On vmuxPhone, edit the host and switch Method to Device Key. Save.
- Reconnect. The first signing prompt asks for Face ID; approve it.
After the first connect, iOS may bundle a few signing operations together so that you only see one Face ID prompt per session attempt. The exact prompt count is up to iOS — there is no setting that increases or decreases it.
Delete the device key
The Delete Device Key button removes the key from the Secure Enclave. It is only enabled when a key exists. iOS confirms the deletion via Face ID, after which:
- The status block flips back to No device key yet.
- Every saved host configured to use Device Key will fail to authenticate until you generate a new key and re-authorize it on the server.
- The old public key in
~/.ssh/authorized_keysis now orphaned. Remove it on every server it was added to — it cannot sign anything any more, but cleaning up keeps the file tidy.
There is currently no way to recover a deleted device key. The Secure Enclave does not back up keys to iCloud, and iOS does not support extracting one even before deletion.
Refresh after a restore
When you restore an iPhone backup or move to a new iPhone, the device key does not transfer. The Secure Enclave is bound to the physical chip. Open the Device Key screen on the new device — you will see No device key yet. Generate a new one, copy the public key, and append it to ~/.ssh/authorized_keys on every host you used the old key with.
The restored host list still references Device Key auth where you set it. The hosts will fail on the first connect attempt until you authorize the new public key.
Multiple keys
vmuxPhone supports exactly one Secure Enclave key on each iPhone in this release. If you need to use different keys for different hosts (for example, separate prod and dev keys), maintain separate authorized_keys entries on each host and rely on per-host auth methods. A future release may expand the manager to multiple labeled keys.
Verification
To verify that the device key actually works without committing a real connection:
- On vmuxPhone, copy the public key.
- On the remote host, run
ssh-keygen -lf <(echo 'PASTE'). The command prints the SHA-256 fingerprint that you can spot-check. - On the remote host, after appending the key, run
ssh-add -Lif you have an agent running, or simply checkcat ~/.ssh/authorized_keys. - On vmuxPhone, connect with Device Key auth. Face ID prompts; if you approve and the prompt arrives, the key works.
If the connection fails with Permission denied (publickey), the most common cause is a wrong fingerprint pasted into authorized_keys, or insufficient file permissions (~/.ssh must be 0700, the file 0600, and the user must own both).
Related
- Connecting — picking Device Key in the host editor.
- SSH connections — protocol-level reference.
- Authentication methods — full identity model across the family.
- RemoteSignerPhone — a separate iPhone app for hardware-backed signing on a Mac.