SSH Key Management

Overview

vmux generates and stores SSH keys in your device's Secure Enclave — a dedicated hardware security chip. Keys never leave the device and can't be exported, giving you hardware-backed passwordless authentication.

The supported key type is ECDSA P-256 (ecdsa-sha2-nistp256).

Generating a Key

Open the SSH Key Manager in the Hosts Window and tap Generate Key. vmux creates a new Secure Enclave key pair and displays the public key.

If a key already exists, opening the SSH Key Manager shows your current public key instead.

Adding Your Key to a Server

Copy the public key from the SSH Key Manager and add it to ~/.ssh/authorized_keys on your remote host:

echo "ecdsa-sha2-nistp256 AAAA...= vmux@YourDevice" >> ~/.ssh/authorized_keys

Make sure the server's sshd_config allows the ecdsa-sha2-nistp256 algorithm. Most modern SSH servers support it by default.

How Authentication Works

When you connect to a host without entering a password, vmux automatically authenticates using your Secure Enclave key. The flow is:

1. Leave the Password field blank in the connection form.
2. vmux signs the authentication challenge using the Secure Enclave.
3. The server verifies the signature against your authorized_keys.
4. You're connected — no password needed.

If the server rejects the key algorithm, you'll see an error suggesting you enable ecdsa-sha2-nistp256 on the server or use password authentication instead.

Key Limits

• One key at a time — Generating a new key replaces the previous one. Update authorized_keys on your servers after regenerating.
• Device-bound — Secure Enclave keys can't be transferred between devices. Each device needs its own key.
• No import — You can't import existing private keys. vmux only uses keys generated in the Secure Enclave.

Troubleshooting