TPM2.0 protected SSH keys cheat-sheet

How to install the packages

For each computer:

sudo apt install libtpm2-pkcs11-tools libtpm2-pkcs11-1

How to enable access for a specific user

As each user who should have access:

sudo usermod -a -G tss "$(id -nu)"

or, if the user can’t use sudo:

sudo usermod -a -G tss USERNAME

How to initialize the TPM-SSH driver

Run this once on each computer:

tpm2_ptool init

Example output:

action: Created
id: 1

How to create a key

First, add a token:

• The label is recommended to be ssh, but you can use any label you want.
• Choose a userpin which is the password for the key. You will need to enter this password when using the key.
• Choose a sopin which is like the administrator password for that token. You will need to enter this password when you need to reset the user password.

I recommend to choose both passwords using a password manager.

tpm2_ptool addtoken --pid=1 --label=ssh --userpin=aefu9Haqua --sopin=be4eeneela1iegh3BeeT9aighohC8k

If successful, this command doesn’t return any output.

Now we can create a key for that token:

You need to use the userpassword you used before

tpm2_ptool addkey --label=ssh --userpin=MySecretPassword --algorithm=ecc256

If you need a RSA key (not recommended!), use --algorithm=rsa4096 instead. I do not recommend using shorter RSA keys than 4096 bits!

For a list of potentially supported algorithms (not every TPM supports every elliptic curve, for example), see Which key algorithms does TPM2.0 / tpm2_ptool support?.

On success, this command will show you an output such as

action: add
private:
  CKA_ID: '73982040827406721063241421723261'
public:
  CKA_ID: '73982040827406721063241421723261'

How to display the public key

ssh-keygen -D /usr/lib/x86_64-linux-gnu/libtpm2_pkcs11.so.1

How to use the key

In ~/.ssh/config, add:

Host myserver
    PKCS11Provider /usr/lib/x86_64-linux-gnu/libtpm2_pkcs11.so.1
    PasswordAuthentication no

After that, you can just

ssh server