Mastodawn

Generating and storing #SSH keys inside the #TPM (Trusted Platform Module)

https://linderud.dev/blog/store-ssh-keys-inside-the-tpm-ssh-tpm-agent/

It works, at least on a Thinkpad X1 and Debian 12. I'm not sure I'd actually prefer that to something more portable such as a Yubikey.

I'm interested in hearing your feedback, and whether you actually use the TPM (and what for).

Store ssh keys inside the TPM: ssh-tpm-agent

After writing age-plugin-tpm a friend of mine at the hackerspace was super excited to finally have easy file encryption with TPM sealed keys, all without having to rely on gnupg. “This is great!” he said. “I wish I could have my SSH keys sealed in a TPM just as easily”. We should have left it at that. I shouldn’t have replied with a random assortment of facts like “I know google/go-tpm now”, or “but Go has a ssh-agent protocol implementation” followed-up with “Filippo has already implemented yubikey-agent, it can’t be that hard”. So I wound up writing a new ssh agent.

Morten Linderud

Show thread

JP Mens 3d ago

`ssh host whoami` takes just over 1 second longer when using a TPM-backed SSH key than when using the same key algorithm in a file on the file system.

Show thread

DrScriptt

@jpmens I’m not surprised by that.

I suspect that the security trade off warrants it, especially for headless servers to have the private part of the key in hardware that it can’t be extracted from.

Maybe not ideal for interactive use.

But could be better if TPM key didn’t have a passphrase requirement and a local file did require a passphrase.

Assuming corporate security scans all keys and flags any without a passphrase on them.