immurok - a wireless fingerprint auth key | Details

IMMUROK is a keychain-sized BLE fingerprint key built around a RISC-V MCU. One touch unlocks your screen, approves sudo, signs SSH, and gates the commands your AI coding agent wants to run. Fully open hardware + firmware.

The problem

Apple's Touch ID is wonderful — and welded shut. It only works on MacBooks and Magic Keyboards. Plug a normal keyboard into a Mac mini, Studio, Pro, or any Intel Mac and biometric auth simply doesn't exist. YubiKeys solve the secret-storage problem but can't unlock your screen, don't do sudo, and need you to find a USB port. And the new wrinkle nobody planned for: AI coding agents now run real commands on real machines — sudo, git push, rm -rf — and there's no good "are you sure?" gate that a human actually has to be present for.

immurok is one small device that fixes all three.

What it does

🔓 Screen unlock — touch to unlock macOS and Linux login

🛡️ sudo / polkit / PAM — fingerprint replaces your password for privilege escalation

🔑 Hardware SSH agent — ECDSA P-256 keys are generated and signed on the device; the private key never touches your disk

🤖 AI-agent gating — wrap an agent's subprocess in imk run --agent --; one touch authorizes sudo + SSH + secret reads for the whole subprocess, and rejecting it sends SIGTERM

🗝️ Encrypted vault — SSH keys, TOTP seeds, and API tokens read out only under a live fingerprint, addressable as imk://ssh/…, imk://otp/…, imk://api/…

💣 Tamper self-wipe — crack the case open and the MCU powers up, sets a tamper flag, and erases the pairing keys and templates — every paired machine is instantly revoked

How it works

The device advertises as a standard BLE HID keyboard — that's the trick that makes the OS keep it connected and lets it "type" your password to defeat the lock screen — while all the real traffic rides a custom, encrypted GATT service alongside it.

Device and app pair with an ECDH P-256 key exchange (runs in under 2 s on the MCU via micro-ecc).
Touch the sensor → device fires an HMAC-SHA256-signed notification over BLE. Every touch is a fresh challenge-response, so nothing can be replayed or spoofed (the big weakness of proximity-only "BLE unlock" tools).
App verifies the signature and performs the action: type the password, answer a PAM challenge, sign an SSH request, or release the queued agent subprocess.

The fingerprint template never leaves the sensor — the R559S matches offline, on-chip. Nothing biometric ever reaches your computer, let alone the cloud.

Under the hood

MCU: WCH CH592F — RISC-V, BLE 5.4, 448 KB flash. Cheap, capable, and not an Apple/Nordic black box.
Sensor: R559S capacitive, 508 DPI (208 × 80 px), sub-500 ms match, up to 5 enrolled fingerprints.
Crypto: HKDF + HMAC-SHA256 message auth · ECDH P-256 pairing · AES-128 + HMAC signed OTA (the bootloader rejects unsigned firmware).
OTA layout: a 4 KB JumpIAP + 12 KB IAP bootloader doing WCH "method one" A/B image swap — fully wireless firmware updates.
Power: LiPo, ~1 month active / ~3 months standby, USB-C charging (no charge LED — average draw is tens of µA).
Form factor: 44 × 44 × 14.2 mm, 38 g — clips onto a keyring.
Radio: Bluetooth SIG Qualified (Receipt R078979 / QDID 179771). FCC certification in progress.

Fully open

Schematics, PCB Gerbers, the C firmware, the macOS app (Swift) and the Linux daemon (Rust) are all open source. Licensed BSL 1.1, auto-converting to Apache 2.0 in March 2030. Audit it, fork it, flash your own builds — trust the math, not the vendor.

Who it's for