Cryptokit
Use this when you are implementing encryption, signatures, or post-quantum crypto in a Swift iOS app with Apple CryptoKit instead of rolling your own protocols.
Install
npx skills add https://github.com/dpearson2699/swift-ios-skills --skill cryptokitWhat is this skill?
- HPKE on iOS 17+ with stateful Sender/Recipient, encapsulatedKey plus ciphertext, and AAD semantics
- Discourages hand-rolled ECDH+HKDF+AES-GCM when HPKE is available on supported OS versions
- Post-quantum flow for iOS 26: X-Wing HPKE, ML-KEM, ML-DSA with hardware and size tradeoffs
- Secure Enclave availability caveats for ML-KEM and ML-DSA on supported devices
- Skill evals target common ECDH/HKDF/AES-GCM mistakes and multi-message HPKE ordering
Adoption & trust: 1.2k installs on skills.sh; 713 GitHub stars; 3/3 security scanners passed (skills.sh audits).
Recommended Skills
Vercel React Native Skillsvercel-labs/agent-skills
Firebase Basicsfirebase/agent-skills
Building Native Uiexpo/skills
Firebase Ai Logic Basicsfirebase/agent-skills
Native Data Fetchingexpo/skills
Firebase Firestorefirebase/agent-skills
Journey fit
Primary fit
Recipient encryption, key exchange, and signing are implemented in app logic and Apple frameworks during product build, before ship hardening. CryptoKit guidance covers server-quality crypto patterns (HPKE, ML-KEM, ML-DSA) in Swift code paths rather than UI or App Store listing work.
Common Questions / FAQ
Is Cryptokit safe to install?
skills.sh reports 3 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.
SKILL.md
READMESKILL.md - Cryptokit
{ "skill_name": "cryptokit", "evals": [ { "id": 1, "name": "hpke-recipient-encryption", "prompt": "I need to encrypt a payload in an iOS app for a recipient public key. Please outline the CryptoKit approach and include the Swift details that prevent the common ECDH/HKDF/AES-GCM mistakes.", "expected_output": "Recommends HPKE on iOS 17+, shows stateful Sender/Recipient usage, sends encapsulatedKey with ciphertext, uses AAD correctly, and avoids a manual ECDH+HKDF+AEAD protocol unless HPKE is unavailable.", "files": [], "assertions": [ "Recommends HPKE instead of hand-rolled ECDH+HKDF+AEAD for recipient public-key encryption when iOS 17+ is available.", "Shows or states that HPKE.Sender and HPKE.Recipient are stateful and must be var when sealing or opening.", "States that sender.encapsulatedKey must be transmitted alongside the ciphertext.", "Mentions AAD/metadata authentication and same-order open semantics for multi-message HPKE." ] }, { "id": 2, "name": "post-quantum-workflow", "prompt": "We are targeting iOS 26 and want quantum-secure CryptoKit for a document sharing flow. What APIs should we use for key exchange and signatures, and what availability or Secure Enclave caveats matter?", "expected_output": "Covers X-Wing HPKE, ML-KEM, ML-DSA, iOS 26 availability, Secure Enclave ML-KEM/ML-DSA variants on supported hardware, and key/signature size tradeoffs.", "files": [], "assertions": [ "Names XWingMLKEM768X25519 or the .XWingMLKEM768X25519_SHA256_AES_GCM_256 HPKE ciphersuite for hybrid quantum-secure public-key encryption.", "Names MLKEM768 or MLKEM1024 for key encapsulation and MLDSA65 or MLDSA87 for signatures.", "States that SHA-3/post-quantum CryptoKit APIs require iOS 26+ availability checks unless the deployment target is iOS 26+.", "Correctly distinguishes classical Secure Enclave P256 support from iOS 26 SecureEnclave.MLKEM and SecureEnclave.MLDSA variants." ] }, { "id": 3, "name": "storage-boundary", "prompt": "Please review this design: generate a CryptoKit SymmetricKey, save its bytes in UserDefaults, then use AES-GCM for local file encryption. Should the CryptoKit skill own the whole fix?", "expected_output": "Flags UserDefaults key storage as wrong, keeps CryptoKit focused on AES-GCM/nonce/AAD/key material handling, and routes durable secret storage/access-control policy to Keychain or the swift-security domain.", "files": [], "assertions": [ "Rejects storing symmetric key material in UserDefaults or normal files.", "Keeps CryptoKit guidance focused on AES-GCM, nonce reuse avoidance, AAD, and key material handling.", "Routes durable key storage, Keychain queries, biometric/passcode access control, and broader credential lifecycle to Keychain/swift-security guidance.", "Mentions encryption export compliance or App Store encryption declaration when app-level encryption is relevant." ] } ] } # CryptoKit Extended Patterns Advanced patterns, key serialization, Keychain integration, legacy interop, and additional CryptoKit features beyond the core SKILL.md. ## Contents - [Key Serialization](#key-serialization) - [Keychain Storage](#keychain-storage) - [AES Key Wrapping](#aes-key-wrapping) - [HKDF Key Derivation](#hkdf-key-derivation) - [HPKE (Hybrid Public Key Encryption)](#hpke-hybrid-public-key-encryption) - [Post-Quantum APIs](#post-quantum-apis) - [Insecure Module](#insecure-module) - [SealedBox Anatomy](#sealedbox-anatomy) - [Signing with Digest](#signing-with-digest) - [Encryption Export Compliance](#encryption-export-compliance) - [Performance Considerations](#performance-considerations) - [CommonCrypto Migration](#commoncrypto-migration) ## Key Serialization NIST curve keys (P256, P384, P521) support multiple serialization formats. Curve25519 keys use raw