What happens if I lose the device?

Fingerprint templates never leave the hardware, and opening the case trips a tamper switch that wipes pairing data. Unpair it from the app and the lost device is useless to whoever finds it.

It's source-available: code is public on GitHub under BSL 1.1, converting to Apache 2.0 in 2030. You can audit, patch, build, and flash your own unit; the only reserved right until conversion is selling competing hardware.

Kickstarter launches August 2026. The hardware is on its 6th revision, firmware 1.6.0 ships with signed OTA updates, and the first pilot batch of 50 units is built and tested.

immurok: Wireless Fingerprint Key for Mac & Linux

Q: Is this Apple's Touch ID?

No. Touch ID is Apple's closed platform fused to the Secure Enclave. immurok is an independent fingerprint key: sudo and admin prompts go through PAM, and screen unlock uses a separately documented helper path.

Q: Where do my fingerprints live?

On the device. Templates are stored and matched on the device itself; only an HMAC-signed match notification crosses Bluetooth. Nothing touches your computer's disk, the network, or any cloud.

Problem

Biometrics on Mac and Linux are fragmented, hardware-locked, or missing.

Millions of developers have no fingerprint option at all.
They just type passwords. Every. Single. Time.

So we built the missing piece: a small wireless fingerprint key that handles unlock, sudo, and SSH. On any Mac, any Linux.

Everything You Need

Built for Security, Performance and Simplicity.

Screen Unlock

Lock screen → touch → unlocked. Works with Mac mini, clamshell MacBooks, and Linux.

SSH & Git signing

Push commits signed with your fingerprint. On-device ECDSA private keys.

sudo & PAM

Replace sudo passwords with a fingerprint touch. Full PAM integration for macOS and Linux.

A month per charge

~40µA standby current, 1+ month of normal use per USB-C charge. The device sleeps until your finger wakes it.

ECDH + HMAC-SHA256

Secure pairing with P-256 key exchange. Every auth response is cryptographically signed.

Source-available app

macOS app and PAM module are public on GitHub (BSL 1.1). Audit it yourself.

One Touch to Approve Your AI Agent

Coding agents want sudo, git push, and your API keys. immurok makes your fingerprint the human-in-the-loop.

An AI agent runs imk run --agent -- sudo systemctl restart and is paused by a fingerprint-authentication-required prompt; works with ChatGPT, Claude, Cursor, and GitHub Copilot

$ imk run --agent -- git push origin main
→ waiting for fingerprint…
✓ approved · push proceeding

The overlay shows the verbatim command the agent wants to run. No summaries, no paraphrase.
One touch approves sudo, SSH signing, and secret reads for that single subprocess.
Dismiss the overlay and the command is killed. Walk away from the desk and the agent can't act.
Secrets are injected into the child process only, so they never enter the agent's transcript.

Read the full design →

Works with Every Mac & All Major Linux Distros

Desktop Macs

MacBook Series

macOS 13.0+

Universal

Ubuntu

Fedora

Arch Linux

Debian

+ All major
Linux distributions

Why Immurok

The only standalone wireless fingerprint authenticator for Mac and Linux.

Feature	Kickstarter early-bird	Magic Keyboard Touch ID: $199	USB dongles Various
Mac mini / Mac Studio
Clamshell mode
Linux support
Wireless
SSH Agent
sudo / PAM		macOS only
Standalone (no keyboard)
Source-available
Price	Revealed at launch	$199	Various

Security by Design

Your biometric data never leaves the device. No cloud. No account. No telemetry.

Private keys never leave the device

Fingerprint templates and crypto keys are stored on the device. Nothing is transmitted or stored on your computer.

No cloud. No account. No telemetry.

Zero network calls. Zero analytics. Works entirely offline via Bluetooth, no internet required.

ECDH pairing + signed firmware

ECDH P-256 key exchange for secure pairing. OTA firmware updates are cryptographically verified.

Source code ready for audit

macOS app and PAM module are on GitHub under BSL 1.1. Audit it yourself or have your security team review it.

Don't trust us. Read the source. →

Tech Specs

Built for engineers, by engineers.

Hardware

Processor	RISC-V @ 60MHz max
Connectivity	Bluetooth LE
Fingerprint sensor	Capacitive
Standby current	~40µA
Recognition time	<500ms
Battery	LiPo 110mAh (USB-C)
Battery life	1+ month typical use
Dimensions	44 × 44 × 14.2 mm
Weight	~40g

Simple, honest pricing

No subscription. No hidden fees. One device, forever.

Silver Edition

TBA

Early-bird price revealed at Kickstarter launch. Waitlist locks the lowest tier

✓ Fully assembled
✓ CNC aluminum body
✓ Premium anodized finish
✓ macOS & Linux app included
✓ Free firmware updates
✓ Priority support

Kickstarter launches August 2026. Waitlist members get the early-bird link before everyone else.

For Developers

Source-available, well-documented API. Build your own integrations.

macOS App

Swift

Menu bar app + PAM integration

Linux App

Rust

Daemon + PAM integration

PAM Module

C

PAM module for sudo & login

Device API

BLE GATT

Full protocol docs for custom clients

View on GitHub

FAQ

Is this Apple's Touch ID?

No, and we won't pretend it is. Touch ID is Apple's closed platform, fused to the Secure Enclave. No third party can plug into it. immurok is an independent fingerprint key: sudo and admin prompts go through PAM (a real system mechanism), and screen unlock uses a separately documented helper path. Same one-touch convenience on the desks Apple left behind, with a different mechanism, honestly documented.

Where do my fingerprints live?

On the device, full stop. Templates are stored and matched on the device itself. What crosses Bluetooth is an HMAC-signed “match succeeded” notification, never the fingerprint. Nothing touches your computer's disk, the network, or any cloud.

What happens if I lose it?

Your fingerprints can't be extracted: templates never leave the hardware, and opening the case trips a tamper switch that wipes the pairing data. Unpair the device from the app and whoever finds it is holding a paperweight. The full threat model is in the security writeup.

Is it open source?

It's source-available: the code is on GitHub under BSL 1.1, converting to Apache 2.0 in 2030. You can audit it, patch it, and build and flash your own unit. The only reserved right until conversion is selling competing hardware with it. We'd rather state that precisely than stretch the term.

Why not just use a YubiKey or passkeys?

Different layer. YubiKeys and passkeys prove who you are to websites (FIDO). immurok removes password friction on the machine in front of you: screen unlock, sudo, SSH signing. It also stores TOTP secrets on-device and releases one-time codes only after a fingerprint touch, so your 2FA seeds never sit in a desktop password manager. They coexist nicely. Many of us use both.

Does it need an account or internet?

No cloud, no account, no telemetry. Pairing is direct ECDH over Bluetooth LE between the device and your machine. Everything works offline, and keeps working even if we disappear tomorrow.

When does it ship?

Kickstarter launches August 2026. This isn't a concept: the hardware is on its 6th revision, firmware 1.6.0 is shipping with signed OTA updates, and the first pilot batch of 50 units is built and tested. Waitlist members get the early-bird link first.

One touch. Unlocked.The fingerprint key for Mac & Linux.