JP Mens3d ago

Generating and storing #SSH keys inside the #TPM (Trusted Platform Module)

https://linderud.dev/blog/store-ssh-keys-inside-the-tpm-ssh-tpm-agent/

It works, at least on a Thinkpad X1 and Debian 12. I'm not sure I'd actually prefer that to something more portable such as a Yubikey.

I'm interested in hearing your feedback, and whether you actually use the TPM (and what for).

Store ssh keys inside the TPM: ssh-tpm-agent

After writing age-plugin-tpm a friend of mine at the hackerspace was super excited to finally have easy file encryption with TPM sealed keys, all without having to rely on gnupg. “This is great!” he said. “I wish I could have my SSH keys sealed in a TPM just as easily”. We should have left it at that. I shouldn’t have replied with a random assortment of facts like “I know google/go-tpm now”, or “but Go has a ssh-agent protocol implementation” followed-up with “Filippo has already implemented yubikey-agent, it can’t be that hard”. So I wound up writing a new ssh agent.

Morten Linderud
Show threadPetr Menšík 3d ago
@jpmens doesn't TPM access require root privileges? Is there user friendly way to use it as an ordinary user?
Show threadJP Mens

@pemensik from [1] I learned to `usermod -G tss $USER'

[1] https://jade.fyi/blog/tpm-ssh/

Using a TPM 2.0 to secure ssh keys

computers i guess

Mar 25 at 2:47pmWeb
Show threadPetr Menšík 3d ago
@jpmens Interesting. Is there a limit of keys number, which I can store into my TPM 2.0 chip? I think I would like a local root service a bit more, talking by unix domain socket to local users. But nobody wrote anything similar and I won't have time to do that soon myself. Found about half year ago, practical using of TPM on Linux is very sparsely documented for mere mortals.
Show threadJP Mens3d ago
@pemensik https://news.ycombinator.com/item?id=36922323
How many keys can I store inside a laptop's TPM? Is there a limit? I have hundre... | Hacker News

Show threadPetr Menšík 3d ago

@jpmens I wish systemd-credentials was somehow merged with this usage style. So I can have as many keys for as many users on local system, but encrypted by some key stored in the TPM.

That information is great, but on very obscure domain. I think it should deserve some text file in actual packages providing such functionality.