Secure Enclave Keys

What is the “Secure Enclave”?

The Secure Enclave is a hardware-based key manager that’s isolated from the main processor to provide an extra layer of security. When using a Mac or iOS device with a Secure Enclave, Prompt 3 can securely generate a device-specific key that is unable to be exported (or synced via Panic Sync).

When you store a private key in the Secure Enclave you never actually handle the key, making it difficult for the key to become compromised. Instead, the Secure Enclave is instructed to create the key, securely store it, and perform operations with it. You receive only the output of these operations, such as encrypted data or a cryptographic signature verification outcome. Learn more.

Information about which Apple devices support the Secure Enclave can be found here.

Key Generation

To generate a new Secure Enclave key, open Prompt’s settings/preferences, select the “Keys” section, then choose the option for “Revoke and Regenerate” to create a new key.

Before generating a new key, please keep the following information in mind:

  • Prompt can only store a single key in the Secure Enclave at a time. Generating a second Secure Enclave key will invalidate an existing key currently being stored.
  • Secure Enclave based keys are always generated using the ecdsa-sha2-nistp256 format.
  • By design, keys stored in the Secure Enclave cannot be exported or synced between devices.
  • If a key that was previously stored in the Secure Enclave is removed or invalidated, it cannot be recovered.

After the key pair is generated, the public key can be copied from Prompt’s settings/preferences.


After generating a Secure Enclave key it will appear at the top of the list of keys.

To assign the key, edit the Server, select the key icon, and then choose the option for “Secure Enclave”.

Panic Sync

Saved Servers configured to use Secure Enclave keys can be synced between devices using Panic Sync, however, the keys themselves cannot.

This means that you will need to generate a Secure Enclave key for each device, and then add the public key for each keypair to the destination host.


Some users have reported experiencing authentication issues when using keys stored in the Secure Enclave after migrating their Prompt data to a new device. To resolve the issue, revoking the current key and a new one will be generated automatically.