// glossary / secure-enclave

Secure Enclave.

Apple's on-chip hardware key store. AgePony can create a signing key inside the Secure Enclave so the private key never exists in normal memory and never leaves the device.

// definition

Secure Enclave is a dedicated secure coprocessor in Apple devices that generates and stores private keys in isolated hardware. Apps can request signatures from it without ever seeing the key material.

What it is

When AgePony generates a Secure-Enclave-backed signing key, the private key is created inside the Enclave and is bound to the device. AgePony asks the Enclave to sign; the key bytes never enter the app's address space and cannot be exported.

Why it matters

It gives you hardware-grade key protection with no extra device to carry. The signing key is gated behind the Enclave and, if you enable it, Face ID or Touch ID. The Android counterpart is the hardware-backed Android Keystore / StrongBox.

// in AgePony On iOS, AgePony can store a signing identity in the Secure Enclave; on Android, the equivalent hardware-backed Keystore. Either way the private key cannot be extracted from the device.

Related terms

Common questions.

Can I move an Enclave key to another phone?

No — that is the point. Enclave keys are non-exportable and device-bound. Keep a separate published identity if you need portability.

Is there an Android equivalent?

Yes, the hardware-backed Android Keystore, with StrongBox on supported devices.

Get AgePony

Free file encryption for iOS and Android. No accounts, no tracking, no servers.

Download on the App Store Get it on Google Play