TPM keys and user presence
Damien Miller
djm at mindrot.org
Mon Jul 7 16:35:35 AEST 2025
On Sat, 5 Jul 2025, Martin Paljak wrote:
> > The ssh community has rejected many approaches to TPM based keys, so
> > the easiest way to use them is to use gpg-agent (for any 2.4 and up
> > version of gpg) as the ssh agent backend and then simply use the gpg
> > keytotpm command on keys you want to become only TPM accessible.
>
> Respectfully disagree. You're free to run any ssh-agent, and it makes various hardware elements play along pretty decently (like secretive for mac).
>
> For TPM2, see here:
>
> https://github.com/Foxboron/ssh-tpm-agent
There are also ways to do it via PKCS#11, which lets you use the stock
OpenSSH ssh-agent.
> I'd only recommend going down the GPG path if you're already
> established and invested in the GPG infrastructure/setup, but never
> for beginners.
+1
-d
More information about the openssh-unix-dev
mailing list