SSH
Derives an Ed25519 authentication key and serves it through Passeport’s native SSH agent.
Identity keys for macOS
Passeport derives stable SSH, OpenPGP, age, and minisign keys from a 24-word recovery phrase. The local seed vault can optionally be encrypted with a password. Nothing is synced by Passeport.
Requires macOS 26 or later. Passeport currently follows a 0.x version series.
What it does
Derives an Ed25519 authentication key and serves it through Passeport’s native SSH agent.
Provides signing and encryption keys through either a bundled GNU-free backend or an existing GnuPG installation.
Configures Git to sign commits and tags using SSH or OpenPGP.
Installs passeport-age for public encryption and approval-controlled decryption.
Installs passeport-minisign for seed-derived signing and public verification.
Restores the same derived identity on another Mac using the original 24-word phrase.
How it works
Passeport generates a random 32-byte root seed and represents it for backup as a standard BIP39 mnemonic. The private local vault can optionally be encrypted with a password. Separate key material is derived for each protocol with HKDF-SHA256.
Private operations are performed through the running app. Passeport can ask for confirmation on each operation and lock automatically when the Mac sleeps or becomes idle.
Security model
Passeport is intended to be more recoverable than a collection of unrelated key files. It is not a hardware security key: the seed exists on the Mac and can reconstruct every derived identity.
Get Passeport
Passeport is currently distributed unsigned. macOS will require confirmation before opening it for the first time.