Put your SSH keys in your TPM chip
2 days ago
- #TPM
- #SSH Security
- #Hardware Security
- SSH private keys can be stored in a TPM chip to enhance security, preventing extraction and keeping keys off the filesystem.
- TPMs are less secure than portable HSMs like Yubikey since they are device-bound and don't require physical presence.
- Install tpm2-tools and related software, then create a PKCS#11 token in a persistent directory like ~/.tpm2_pkcs11.
- Import an existing SSH key into the TPM by converting it to PEM format and using tpm2_ptool with a user PIN.
- Use the TPM SSH key by setting TPM2_PKCS11_SO environment variable and configuring SSH to use the PKCS#11 provider.