Unlocking private key using biometric token

Brian Candler b.candler at pobox.com
Mon Jun 16 21:57:08 AEST 2025


On 16/06/2025 12:32, Márton Gunyhó wrote:
> This is probably a very naive question, but I am trying to figure out 
> if I would be able to unlock my private key using my laptop's 
> fingerprint reader instead of typing in the passphrase.

What kind of laptop? I believe this works out-of-the-box using macOS 
keychain, but I don't know about Linux / *BSD / Windows.


> Am I asking for nonsense? Is it even possible to use a fingerprint as 
> an encryption key, or is it only suitable for matching against a 
> stored value (which I guess what PAM is doing)?

A fingerprint is never used as an encryption key. For these sorts of 
applications (such as passkeys on your phone), the private key is stored 
in a secure enclave, and the secure enclave permits crypto operations 
using that key when the appropriate fingerprint or PIN is presented to 
it. Hence there's quite a lot of integration required.

For a self-contained solution which is platform-agnostic look at Yubikey 
Bio. The readily-available FIDO version should work with SSH using U2F 
keys (ecdsa_sk). There's supposed to be a smartcard version too, but I 
don't see it for sale on the store.



More information about the openssh-unix-dev mailing list