Storing SSH Key in TPM

ยท
1 min read
notes
#fedora #ssh #tpm2

How to SSH with key stored in TPM2 chip.

Setup

Terminal window
sudo dnf install tpm2-pkcs11 tpm2-pkcs11-tools -y
sudo usermod -a -G tss "$(id -nu)"
newgrp tss

Create Key

Terminal window
unset HISTFILE
tpm2_ptool init
tpm2_ptool init
tpm2_ptool addtoken --pid=1 --label=ssh --userpin=MySecretPassword --sopin=MyRecoveryPassword
tpm2_ptool addkey --label=ssh --userpin=MySecretPassword --algorithm=ecc256

Export Public Key

Terminal window
ssh-keygen -D /usr/lib64/pkcs11/libtpm2_pkcs11.so > ~/.ssh/my-ssh-key_using-tpm2.pub
cat > ~/.ssh/config << EOF
Host server
    PKCS11Provider /usr/lib64/pkcs11/libtpm2_pkcs11.so
    PasswordAuthentication no
EOF

Put Public Key

Terminal window
cat ~/.ssh/my-ssh-key_using-tpm2.pub | ssh -i ~/.ssh/my-identity-key user@server "cat >> ~/.ssh/authorized_keys"

Related Articles

Enabling Fingerprint in Thinkpad L14 Gen1 in Fedora

Enabling Fingerprint in Thinkpad L14 Gen1 in Fedora

My Kubernetes Recipee with Minikube

My Kubernetes Recipee with Minikube

Razer BlackShark V2 HS 2.4 on Fedora 40

Razer BlackShark V2 HS 2.4 on Fedora 40