credctl uses your laptop's Secure Enclave to create hardware-bound device identities that replace long-lived cloud access keys with short-lived credentials. No plaintext keys on disk. Ever. https://credctl.comhttps://bsky.app/profile/credctl.comhttps://bsky.app/profile/credctl.com/post/3mlqb2rjq5y2nWrote up how the Secure Enclave handles AWS auth: cgo to Apple's Security framework, ECDSA P-256 in hardware, OIDC federation, Touch ID per signing. CFDictionary lifecycle was the most painful part. https://credctl.com/blog/secure-enclave-deep-dive/13 May 2026 12:02 +0000at://did:plc:5aestayxamibnrftzzmihpla/app.bsky.feed.post/3mlqb2rjq5y2nhttps://bsky.app/profile/credctl.com/post/3mlla4r3oha2yNew post: credctl vs HashiCorp Vault — not a replacement. Vault is a centralised secrets manager. credctl handles laptop-to-cloud auth via hardware-bound keys. You can chain them via Vault's JWT auth method. https://credctl.com/blog/credctl-vs-hashicorp-vault/11 May 2026 12:02 +0000at://did:plc:5aestayxamibnrftzzmihpla/app.bsky.feed.post/3mlla4r3oha2yhttps://bsky.app/profile/credctl.com/post/3mldopjes4b2oWorking on the team-broker design for credctl. Single-developer use is solved — install CLI, federate, done. Harder problem: a team with policy ("only seniors can assume prod"), audit (who assumed what when), and device fleet management. Most-asked-for feature so far.08 May 2026 12:02 +0000at://did:plc:5aestayxamibnrftzzmihpla/app.bsky.feed.post/3mldopjes4b2ohttps://bsky.app/profile/credctl.com/post/3ml6nthp3hk2xA design choice that surprised me: AWS, GCP, and Azure all converged on accepting the same OIDC token format. Same JWT, same claims, same JWKS discovery. Different APIs, same wire protocol. One identity, three clouds. The federation interop story is genuinely good.06 May 2026 12:03 +0000at://did:plc:5aestayxamibnrftzzmihpla/app.bsky.feed.post/3ml6nthp3hk2xhttps://bsky.app/profile/credctl.com/post/3mkzmwjmlcy27New post: credctl vs aws-vault — when to use each. Honest comparison, including where aws-vault is the better choice (Linux/Windows, AWS SSO, existing setups). Same goal, different security model. https://credctl.com/blog/credctl-vs-aws-vault/04 May 2026 12:03 +0000at://did:plc:5aestayxamibnrftzzmihpla/app.bsky.feed.post/3mkzmwjmlcy27https://bsky.app/profile/credctl.com/post/3mks3g4arcm2jSpending evenings on TPM 2.0 integration for Linux. Same architecture as Secure Enclave on macOS — generate a non-extractable signing key, sign JWTs, federate to AWS. cgo equivalent: tpm2-tss bindings. Different chip family, same shape of problem.01 May 2026 12:01 +0000at://did:plc:5aestayxamibnrftzzmihpla/app.bsky.feed.post/3mks3g4arcm2jhttps://bsky.app/profile/credctl.com/post/3mkpky2g5s22qaws-vault solved the plaintext-keys problem in 2014 by encrypting them in the OS keychain. Real improvement — orders of magnitude better than ~/.aws/credentials. Hardware-bound credentials go one step further: the long-lived material lives in a chip that can't export it.30 Apr 2026 12:02 +0000at://did:plc:5aestayxamibnrftzzmihpla/app.bsky.feed.post/3mkpky2g5s22qhttps://bsky.app/profile/credctl.com/post/3mkkjzejtqc2sSPIFFE works great in Kubernetes. Pods get short-lived JWTs from the cluster's signer, federate to the cloud, never see a long-lived credential. Then you hit a dev laptop with a long-lived IAM key in ~/.aws/credentials. Same person, totally different security posture.28 Apr 2026 12:01 +0000at://did:plc:5aestayxamibnrftzzmihpla/app.bsky.feed.post/3mkkjzejtqc2shttps://bsky.app/profile/credctl.com/post/3mkhzjl5um52vVercel breach in one line: bearer secrets work from anywhere — which is why "rotate everything" is the only safe response after a platform breach. If they weren't bearer secrets, there'd be nothing to rotate. https://credctl.com/blog/vercel-context-ai-breach/27 Apr 2026 12:01 +0000at://did:plc:5aestayxamibnrftzzmihpla/app.bsky.feed.post/3mkhzjl5um52vhttps://bsky.app/profile/credctl.com/post/3mk5xpvfhuc2xUnpopular opinion: "just rotate your AWS keys regularly" is not a security strategy. Between rotations, those keys are still in plaintext on disk. Rotation reduces the blast radius window. It doesn't eliminate the attack surface. The real fix is not having long-lived keys at all.23 Apr 2026 12:02 +0000at://did:plc:5aestayxamibnrftzzmihpla/app.bsky.feed.post/3mk5xpvfhuc2xhttps://bsky.app/profile/credctl.com/post/3mk3h65g3hp2uWorking on multi-cloud credential management. One thing I didn't expect: AWS Roles Anywhere, GCP Workload Identity Federation, and Azure Federated Identity Credentials all accept the same OIDC token format. Different APIs, same underlying pattern. One identity provider can serve all three.22 Apr 2026 12:00 +0000at://did:plc:5aestayxamibnrftzzmihpla/app.bsky.feed.post/3mk3h65g3hp2uhttps://bsky.app/profile/credctl.com/post/3mjymrs6fia2mInteresting design pattern: OIDC federation lets any service that can produce a signed JWT get short-lived cloud credentials. AWS, GCP, and Azure all support it. Your CI runner uses it. Your Kubernetes pods use it. Your laptop could too — if something signed the JWT with a hardware-bound key.21 Apr 2026 09:03 +0000at://did:plc:5aestayxamibnrftzzmihpla/app.bsky.feed.post/3mjymrs6fia2mhttps://bsky.app/profile/credctl.com/post/3mjwhmbomfu2oThe CircleCI breach (2023): malware on a dev laptop stole a session cookie. The LastPass breach (2022): a dev workstation was compromised. Both started the same way — credentials accessible on a dev machine. We keep building more sophisticated auth systems while leaving plaintext keys on disk.20 Apr 2026 12:25 +0000at://did:plc:5aestayxamibnrftzzmihpla/app.bsky.feed.post/3mjwhmbomfu2ohttps://bsky.app/profile/credctl.com/post/3mjwamx5o2q2pWriting Go for the macOS Secure Enclave means cgo + Apple's Security framework. SecKeyCreateRandomKey to generate keys. SecKeyCreateSignature to sign. The private key never touches Go memory — the Enclave does the crypto internally. Getting the CFDictionary bridging right was... an experience.20 Apr 2026 10:20 +0000at://did:plc:5aestayxamibnrftzzmihpla/app.bsky.feed.post/3mjwamx5o2q2phttps://bsky.app/profile/credctl.com/post/3mjp6sia4cn2tTIL you can set up your own OIDC identity provider for AWS with just two static JSON files on S3 + CloudFront. openid-configuration + a JWKS document. That's it. AWS STS will validate your JWTs against it via AssumeRoleWithWebIdentity. No Cognito, no Auth0, no server.17 Apr 2026 14:59 +0000at://did:plc:5aestayxamibnrftzzmihpla/app.bsky.feed.post/3mjp6sia4cn2thttps://bsky.app/profile/credctl.com/post/3mjjrogtewc2y86% of breaches involve stolen credentials (Verizon DBIR). Most developer laptops have AWS keys sitting in ~/.aws/credentials in plaintext. Meanwhile every Mac since 2016 has a Secure Enclave — a chip that makes keys that physically can't be extracted. The gap between those two facts is wild.15 Apr 2026 11:20 +0000at://did:plc:5aestayxamibnrftzzmihpla/app.bsky.feed.post/3mjjrogtewc2yhttps://bsky.app/profile/credctl.com/post/3mjjo7n2oag25Building credctl — an open-source CLI that replaces the plaintext AWS/GCP keys on your laptop with Secure Enclave-bound credentials. Touch ID instead of ~/.aws/credentials. github.com/credctl/credctl https://github.com/credctl/credctl15 Apr 2026 10:18 +0000at://did:plc:5aestayxamibnrftzzmihpla/app.bsky.feed.post/3mjjo7n2oag25