JP Mens2d ago

Generating and storing #SSH keys inside the #TPM (Trusted Platform Module)

https://linderud.dev/blog/store-ssh-keys-inside-the-tpm-ssh-tpm-agent/

It works, at least on a Thinkpad X1 and Debian 12. I'm not sure I'd actually prefer that to something more portable such as a Yubikey.

I'm interested in hearing your feedback, and whether you actually use the TPM (and what for).

Store ssh keys inside the TPM: ssh-tpm-agent

After writing age-plugin-tpm a friend of mine at the hackerspace was super excited to finally have easy file encryption with TPM sealed keys, all without having to rely on gnupg. “This is great!” he said. “I wish I could have my SSH keys sealed in a TPM just as easily”. We should have left it at that. I shouldn’t have replied with a random assortment of facts like “I know google/go-tpm now”, or “but Go has a ssh-agent protocol implementation” followed-up with “Filippo has already implemented yubikey-agent, it can’t be that hard”. So I wound up writing a new ssh agent.

Morten Linderud
Show threadChristophe Brocas 
@jpmens what about if your motherboard failed to restart? Keys are linked to it and non extractable before an eventual problem, right?
If it is the case, portable and duplicable yubikeys have my favor.
Mar 25 at 4:50pmWeb