Unlocking private key using biometric token
Brian Candler
b.candler at pobox.com
Mon Jun 16 22:28:36 AEST 2025
On 16/06/2025 13:13, Márton Gunyhó wrote:
>> A fingerprint is never used as an encryption key. ... The private key
>> is stored in a secure enclave, and the secure enclave permits crypto
>> operations using that key when the appropriate fingerprint or PIN is
>> presented to it. Hence there's quite a lot of integration required.
> I see, makes sense. I guess OpenSSH doesn't have this integration on
> Linux?
A quick search suggests that you can use OpenSSH with the private key
protected by the TPM, e.g.
https://wiki.gentoo.org/wiki/Trusted_Platform_Module/SSH
https://incenp.org/notes/2020/tpm-based-ssh-key.html
But I don't know if it's possible to enrol the fingerprint reader to the
TPM, such that a fingerprint could be used to unlock the TPM.
>
>> For a self-contained solution which is platform-agnostic look at
>> Yubikey Bio. The readily-available FIDO version should work with SSH
>> using U2F keys (ecdsa_sk).
>
> The Yubikey looks alright, but I would like to use the built-in
> fingerprint reader. I tried to create a key with ssh-keygen -t
> ecdsa-sk but that just says "Key enrollment failed: device not found".
Correct, you need the U2F key connected at the time of creating the
key. Each U2F device has a built-in key, which it uses to wrap the
keying material to form the "key handle". In this way, a U2F device can
work with an unlimited number of key pairs, because it doesn't actually
store the private key anywhere, but they are all specific to that
particular device.
https://fidoalliance.org/specs/u2f-specs-master/fido-u2f-overview.html
More information about the openssh-unix-dev
mailing list