Unlocking private key using biometric token
Brian Candler
b.candler at pobox.com
Mon Jun 16 21:57:08 AEST 2025
On 16/06/2025 12:32, Márton Gunyhó wrote:
> This is probably a very naive question, but I am trying to figure out
> if I would be able to unlock my private key using my laptop's
> fingerprint reader instead of typing in the passphrase.
What kind of laptop? I believe this works out-of-the-box using macOS
keychain, but I don't know about Linux / *BSD / Windows.
> Am I asking for nonsense? Is it even possible to use a fingerprint as
> an encryption key, or is it only suitable for matching against a
> stored value (which I guess what PAM is doing)?
A fingerprint is never used as an encryption key. For these sorts of
applications (such as passkeys on your phone), the private key is stored
in a secure enclave, and the secure enclave permits crypto operations
using that key when the appropriate fingerprint or PIN is presented to
it. Hence there's quite a lot of integration required.
For a self-contained solution which is platform-agnostic look at Yubikey
Bio. The readily-available FIDO version should work with SSH using U2F
keys (ecdsa_sk). There's supposed to be a smartcard version too, but I
don't see it for sale on the store.
More information about the openssh-unix-dev
mailing list