Put your SSH keys in your TPM chip

60 points by raymii

Foxboron

A great example why I wrote a simpler tool!

https://github.com/Foxboron/ssh-tpm-agent

Available on Debian, Arch and probably in some copr repo.

tavianator

Nice! Off topic but sbctl is great, thanks for writing it :)
- Foxboron
  
  Off topic but sbctl is great, thanks for writing it :)
  
  Thank you!
5d22b

dictionary attack protection from the TPM allows you to use low entropy PINs instead of passphrases

Is this the big benefit of having a TPM, that one need no longer have long passphrases on keys? (I am looking at building a new computer and was wondering whether I had any reason to buy a TPM.)
- Foxboron
  
  Is this the big benefit of having a TPM, that one need no longer have long passphrases on keys? (I am looking at building a new computer and was wondering whether I had any reason to buy a TPM.)
  
  The largest bennefit is that you need access to the laptop in question to use the signing key. So if you where to get a copy of my signing key and my PIN, you would still be unable to utilize the key. This applies to both OP and my software.
  
  For fun; here is an ssh key to my github account. The pin is 12456
  
  https://gist.github.com/Foxboron/e15fcaa3c497c40c4c8e75130f551e2e
Spots

This looks super nice, but does it work with gcc-go? I'm on a system where golang go is not available.
- Foxboron
  
  This looks super nice, but does it work with gcc-go? I'm on a system where golang go is not available.
  
  I have not tried. I doubt it.
zie

Neat! I use 1password as my password manager, so I just make it store my SSH keys instead, they include the tools to interface with ssh and they Just Work. https://developer.1password.com/docs/ssh/

Not necessarily as secure, for varying definitions of secure, but secure enough for my purposes.

That said, I agree moving away from files on disk is a great idea, and using a TPM is a broader and free solution compared to 1Password.
- trousers
  
  I also use currently 1password (macos). If I ever move away from 1pass (thought about it a few times), I plan to give secretive a try. I've heard good things about it.
  - zie
    
    I used sekey before 1P. I didn't know about Secretive. Looks like it's basically the new and improved version. Thanks! Though 1P family plan means it's unlikely I'll get rid of 1P anytime soon.
- accelbread
  
  I used to use TPM backed ssh keys but they caused me endless pain, from lockouts requiring rebooting to pin input being buggy. I gave up on it and got a yubikey for each of my machines and my ssh keys now use them with FIDO2. Its been a smooth ride and painless. Totally worth the cost of buying the yubikeys.
- fazalmajid
  
  Mac users can use the Secretive app to store their key in the Secure Enclave: https://secretive.dev
  - Foxboron
    
    There is also native support in recent versions.
    
    https://gist.github.com/arianvp/5f59f1783e3eaf1a2d4cd8e952bb4acf
- dsp
  
  Comment removed by author
- olliej
  
  I’ve got my Mac set up to keep my commit signing keys in the SEP (or SA? Whichever one is the TPM) which makes commit steps nice. Obviously this isn’t the ssh keys which I probably should have real protection for, but given I only use ssh for git these days the signing requirement provides the guards I need.
- Spots
  
  This is great, thanks! Commenting to remind myself to try this out on my laptop next weekend.