RemoteSignerPhone
An iPhone app that holds your SSH keys in the Secure Enclave and signs every request with Face ID.
What RemoteSignerPhone is
RemoteSignerPhone turns your iPhone into a hardware SSH key. Private keys are generated inside the iPhone's Secure Enclave and never leave it — not in a backup, not over AirDrop, not into iCloud. When a Mac, an Apple Vision Pro, or any other paired device needs to authenticate to an SSH server, it sends the signing challenge to RemoteSignerPhone over an encrypted local link. The iPhone shows you who is asking, you approve with Face ID or Touch ID, and only then does the Secure Enclave produce a signature. The signature crosses back to the requester, the SSH server verifies it, and the connection completes.
The model is simple: the iPhone is the trust anchor for every SSH connection you make from any of your devices. You can replace the headset, reset the Mac, or buy a new laptop without touching your servers' authorized_keys. As long as you have your iPhone, you keep your SSH keys.
How it fits with vmuxAgent and vmux
RemoteSignerPhone is one half of a pair. The other half is vmuxAgent, a menu bar app for macOS that pretends to be a normal SSH agent on your Mac. Any tool that speaks the OpenSSH agent protocol — ssh, git, Ansible, VS Code Remote — connects to vmuxAgent at ~/.ssh/vmux-agent.sock and gets your iPhone-held keys for free.
When the request is for a signature, vmuxAgent forwards it to RemoteSignerPhone and waits. RemoteSignerPhone is the only place a private key actually lives. A simplified picture:
| Where | What lives there |
|---|---|
Your servers' authorized_keys | Public keys only |
| vmuxAgent on Mac | Public keys cached for advertising; no private keys |
| RemoteSignerPhone on iPhone | Private keys, biometric gate, signature production |
| Apple Secure Enclave inside iPhone | The actual key material — hardware-bound, non-extractable |
vmux on Apple Vision Pro talks to RemoteSignerPhone the same way, just over Multipeer Connectivity directly. See SSH signing with iPhone for the visionOS-side connect flow.
Key features
- Secure Enclave key generation. Keys are ECDSA P-256 (
ecdsa-sha2-nistp256), produced inside the Secure Enclave withkSecAttrAccessibleWhenUnlockedThisDeviceOnlyanduserPresence. There is no API to export the private key; even the OS cannot read it. - Biometric per-sign approval. Every signature requires Face ID or Touch ID at the moment the signing happens. There is no "remember for one hour" or auto-approve mode.
- Multiple identities. Provision as many keys as you need — one per server fleet, one per personal vs. work, one per role. Each identity has its own label, fingerprint, and OpenSSH-format public key string.
- Encrypted Multipeer Connectivity transport. Pairing with the Mac or headset uses Apple's Multipeer Connectivity with
encryptionPreference: .required. There is no plaintext on your local network. - APNs wake. When the iPhone is locked or the app is in the background, vmuxAgent on the Mac pokes it awake with a silent push so the iPhone is immediately reachable for a signing prompt — no need to open the app first.
- Per-request prompts. When a signature request arrives, the iPhone shows the source device name and the destination host before you approve. You see exactly what you are authorizing.
- Optional SSH certificate issuance. Beyond raw signatures, RemoteSignerPhone can also act as a small SSH CA, issuing time-bounded certificates to other devices in your fleet. This is part of the remote signing story for setups where you want headset-side authentication without per-keystroke prompts.
What you see in the app
The home screen has four sections you will live in:
- Overview. Total provisioned identities, how many are enabled, and the provider name (Secure Enclave).
- Remote Signer Transport. Live connection status (
Offline,Advertising,Connecting to <peer>,Connected to <peer>), APNs token registration state, and a "Test Notification" button to confirm push permissions. - Signers. One row per identity, with its label, fingerprint, OpenSSH key string, and an enabled toggle. Tap a row to open the detail screen for copy, rename, verify, or delete.
- Provision Signer. The big button at the bottom — same as the plus button in the header. Opens a sheet that creates a new Secure Enclave identity.
There is no separate settings screen. The home screen is the whole app; everything else is a sheet on top of it.
System requirements
| Requirement | Minimum |
|---|---|
| iOS | iOS 18 or later |
| Device | iPhone with Secure Enclave (every iPhone since iPhone 5s) |
| Biometrics | Face ID or Touch ID enabled in Settings → Face ID & Passcode / Settings → Touch ID & Passcode |
| Notifications | Notifications permission granted at first launch (used for foreground sign-request banners and APNs wake) |
| Network | Same Wi-Fi or close-range Bluetooth as the device requesting a signature (Multipeer Connectivity) |
| Internet | Required only for APNs delivery — not required for the signing transaction itself |
A device passcode must be set. If you disable the passcode, iOS invalidates the Secure Enclave key on next access and you will have to regenerate. The app will tell you if Secure Enclave is unavailable.
Where to go next
- Getting started walks you through your first identity, end to end, including Mac pairing.
- Creating identities covers labels, copying public keys, and when to use multiple keys.
- Pairing and discovery explains how the iPhone finds the Mac (and the headset) and what each connection state means.
- Approving signing is the per-request UX: the prompt, biometrics, what approve and deny actually do.
- Background wake describes the APNs path and what to check if the iPhone never wakes.
- Security is the threat-model page — what an attacker can and cannot do.
- Troubleshooting is where to look first when something is wrong.