Martin KirchgessnerI've always thought YubiKeys are expensive and too easy to loose or forget, so many thanks @Foxboron for ssh-tpm-agent ! I already had per-laptop #ssh keys, now they're sealed with its Tusted Platform Module (and a much shorter pass)đź‘Ś
Install instructions: https://linderud.dev/blog/store-ssh-keys-inside-the-tpm-ssh-tpm-agent/
Presented at FOSDEM'25: https://archive.fosdem.org/2025/schedule/event/fosdem-2025-5544-hardware-backed-ssh-keys-ssh-tpm-agent/
Access rights tweaked with the help of https://fosdem.org/2026/events/attachments/ARFTHB-tpms_and_the_linux_kernel_unlocking_a_better_path_to_hardware_security/slides/267448/ignat-tpm_ornb8fs.pdf
poke #selfhosted
Store ssh keys inside the TPM: ssh-tpm-agent
After writing age-plugin-tpm a friend of mine at the hackerspace was super excited to finally have easy file encryption with TPM sealed keys, all without having to rely on gnupg. “This is great!” he said. “I wish I could have my SSH keys sealed in a TPM just as easily”. We should have left it at that. I shouldn’t have replied with a random assortment of facts like “I know google/go-tpm now”, or “but Go has a ssh-agent protocol implementation” followed-up with “Filippo has already implemented yubikey-agent, it can’t be that hard”. So I wound up writing a new ssh agent.