Unlocking private key using biometric token

Brian Candler b.candler at pobox.com
Tue Jun 17 20:06:12 AEST 2025


On 17/06/2025 11:00, Marco Trevisan wrote:
>> Note that, even if you do the above, the protection the fingerprint
>> provides to your private key material is only as strong as your OS'
>> security. If an attacker is able to elevate privilege then they
>> could steal the key material from the agent without your fingerprint.
> Isn't this true for any kind of privilege escalation when the agent is
> in place?

Yes and no.

Yes, if the private key is stored in the agent, and the agent itself 
performs the crypto operations.

No, if the private key is stored in a secure enclave, which is 
integrated with the fingerprint reader, as with macOS.

In the latter case, (a) the key itself cannot leak, and (b) crypto 
operations are only performed with operator consent. (Gummy bears 
notwithstanding, you still at least need some physical presence)


More information about the openssh-unix-dev mailing list