Unlocking private key using biometric token

Brian Candler b.candler at pobox.com
Mon Jun 16 22:28:36 AEST 2025


On 16/06/2025 13:13, Márton Gunyhó wrote:
>> A fingerprint is never used as an encryption key. ... The private key 
>> is stored in a secure enclave, and the secure enclave permits crypto 
>> operations using that key when the appropriate fingerprint or PIN is 
>> presented to it. Hence there's quite a lot of integration required.
> I see, makes sense. I guess OpenSSH doesn't have this integration on 
> Linux?

A quick search suggests that you can use OpenSSH with the private key 
protected by the TPM, e.g.

https://wiki.gentoo.org/wiki/Trusted_Platform_Module/SSH
https://incenp.org/notes/2020/tpm-based-ssh-key.html

But I don't know if it's possible to enrol the fingerprint reader to the 
TPM, such that a fingerprint could be used to unlock the TPM.


>
>> For a self-contained solution which is platform-agnostic look at 
>> Yubikey Bio. The readily-available FIDO version should work with SSH 
>> using U2F keys (ecdsa_sk).
>
> The Yubikey looks alright, but I would like to use the built-in 
> fingerprint reader. I tried to  create a key with ssh-keygen -t 
> ecdsa-sk but that just says "Key enrollment failed: device not found". 

Correct, you need the U2F key connected at the time of creating the 
key.  Each U2F device has a built-in key, which it uses to wrap the 
keying material to form the "key handle".  In this way, a U2F device can 
work with an unlimited number of key pairs, because it doesn't actually 
store the private key anywhere, but they are all specific to that 
particular device.

https://fidoalliance.org/specs/u2f-specs-master/fido-u2f-overview.html


More information about the openssh-unix-dev mailing list