One touch. Unlocked.
The fingerprint key for Mac & Linux.
Screen unlock, sudo, admin prompts, and SSH signing, approved by the finger already on your desk. Built for Mac mini, clamshell MacBooks, mechanical keyboards, and every major Linux distro.
Kickstarter launches August 2026. Waitlist members get the early-bird link first.
Problem
Biometrics on Mac and Linux are fragmented, hardware-locked, or missing.
Millions of developers have no fingerprint option at all.
They just type passwords. Every. Single. Time.
So we built the missing piece: a small wireless fingerprint key that handles unlock, sudo, and SSH. On any Mac, any Linux.
Everything You Need
Built for Security, Performance and Simplicity.
Screen Unlock
Lock screen → touch → unlocked. Works with Mac mini, clamshell MacBooks, and Linux.
SSH & Git signing
Push commits signed with your fingerprint. On-device ECDSA private keys.
sudo & PAM
Replace sudo passwords with a fingerprint touch. Full PAM integration for macOS and Linux.
A month per charge
~40µA standby current, 1+ month of normal use per USB-C charge. The device sleeps until your finger wakes it.
ECDH + HMAC-SHA256
Secure pairing with P-256 key exchange. Every auth response is cryptographically signed.
Source-available app
macOS app and PAM module are public on GitHub (BSL 1.1). Audit it yourself.
One Touch to Approve Your AI Agent
Coding agents want sudo, git push, and your API keys. immurok makes your fingerprint the human-in-the-loop.
$ imk run --agent -- git push origin main
→ waiting for fingerprint…
✓ approved · push proceeding
- The overlay shows the verbatim command the agent wants to run. No summaries, no paraphrase.
- One touch approves sudo, SSH signing, and secret reads for that single subprocess.
- Dismiss the overlay and the command is killed. Walk away from the desk and the agent can't act.
- Secrets are injected into the child process only, so they never enter the agent's transcript.
Works with Every Mac & All Major Linux Distros
Linux distributions
Why Immurok
The only standalone wireless fingerprint authenticator for Mac and Linux.
| Feature |
Kickstarter early-bird
|
Magic Keyboard Touch ID: $199 | USB dongles Various |
|---|---|---|---|
| Mac mini / Mac Studio | |||
| Clamshell mode | |||
| Linux support | |||
| Wireless | |||
| SSH Agent | |||
| sudo / PAM | |||
| Standalone (no keyboard) | |||
| Source-available | |||
| Price | Revealed at launch | $199 | Various |
Security by Design
Your biometric data never leaves the device. No cloud. No account. No telemetry.
Private keys never leave the device
Fingerprint templates and crypto keys are stored on the device. Nothing is transmitted or stored on your computer.
No cloud. No account. No telemetry.
Zero network calls. Zero analytics. Works entirely offline via Bluetooth, no internet required.
ECDH pairing + signed firmware
ECDH P-256 key exchange for secure pairing. OTA firmware updates are cryptographically verified.
Source code ready for audit
macOS app and PAM module are on GitHub under BSL 1.1. Audit it yourself or have your security team review it.
Tech Specs
Built for engineers, by engineers.
Hardware
| Processor | RISC-V @ 60MHz max |
| Connectivity | Bluetooth LE |
| Fingerprint sensor | Capacitive |
| Standby current | ~40µA |
| Recognition time | <500ms |
| Battery | LiPo 110mAh (USB-C) |
| Battery life | 1+ month typical use |
| Dimensions | 44 × 44 × 14.2 mm |
| Weight | ~40g |
Simple, honest pricing
No subscription. No hidden fees. One device, forever.
- ✓ Fully assembled
- ✓ CNC aluminum body
- ✓ Premium anodized finish
- ✓ macOS & Linux app included
- ✓ Free firmware updates
- ✓ Priority support
Kickstarter launches August 2026. Waitlist members get the early-bird link before everyone else.
For Developers
Source-available, well-documented API. Build your own integrations.
Menu bar app + PAM integration
Daemon + PAM integration
PAM module for sudo & login
Full protocol docs for custom clients
FAQ
Is this Apple's Touch ID?
No, and we won't pretend it is. Touch ID is Apple's closed platform, fused to the Secure Enclave. No third party can plug into it. immurok is an independent fingerprint key: sudo and admin prompts go through PAM (a real system mechanism), and screen unlock uses a separately documented helper path. Same one-touch convenience on the desks Apple left behind, with a different mechanism, honestly documented.
Where do my fingerprints live?
On the device, full stop. Templates are stored and matched on the device itself. What crosses Bluetooth is an HMAC-signed “match succeeded” notification, never the fingerprint. Nothing touches your computer's disk, the network, or any cloud.
What happens if I lose it?
Your fingerprints can't be extracted: templates never leave the hardware, and opening the case trips a tamper switch that wipes the pairing data. Unpair the device from the app and whoever finds it is holding a paperweight. The full threat model is in the security writeup.
Is it open source?
It's source-available: the code is on GitHub under BSL 1.1, converting to Apache 2.0 in 2030. You can audit it, patch it, and build and flash your own unit. The only reserved right until conversion is selling competing hardware with it. We'd rather state that precisely than stretch the term.
Why not just use a YubiKey or passkeys?
Different layer. YubiKeys and passkeys prove who you are to websites (FIDO). immurok removes password friction on the machine in front of you: screen unlock, sudo, SSH signing. It also stores TOTP secrets on-device and releases one-time codes only after a fingerprint touch, so your 2FA seeds never sit in a desktop password manager. They coexist nicely. Many of us use both.
Does it need an account or internet?
No cloud, no account, no telemetry. Pairing is direct ECDH over Bluetooth LE between the device and your machine. Everything works offline, and keeps working even if we disappear tomorrow.
When does it ship?
Kickstarter launches August 2026. This isn't a concept: the hardware is on its 6th revision, firmware 1.6.0 is shipping with signed OTA updates, and the first pilot batch of 50 units is built and tested. Waitlist members get the early-bird link first.