https://github.com/Foxboron/ssh-tpm-agent Skip to content Toggle navigation Sign up * Product + Actions Automate any workflow + Packages Host and manage packages + Security Find and fix vulnerabilities + Codespaces Instant dev environments + Copilot Write better code with AI + Code review Manage code changes + Issues Plan and track work + Discussions Collaborate outside of code Explore + All features + Documentation + GitHub Skills + Blog * Solutions For + Enterprise + Teams + Startups + Education By Solution + CI/CD & Automation + DevOps + DevSecOps Resources + Customer Stories + White papers, Ebooks, Webinars + Partners * Open Source + GitHub Sponsors Fund open source developers + The ReadME Project GitHub community articles Repositories + Topics + Trending + Collections * Pricing Search or jump to... Search code, repositories, users, issues, pull requests... Search [ ] Clear Search syntax tips Provide feedback We read every piece of feedback, and take your input very seriously. [ ] [ ] Include my email address so I can be contacted Cancel Submit feedback Saved searches Use saved searches to filter your results more quickly Name [ ] Query [ ] To see all available qualifiers, see our documentation. Cancel Create saved search Sign in Sign up You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session. {{ message }} Foxboron / ssh-tpm-agent Public * Notifications * Fork 4 * Star 95 ssh-tpm-agent License MIT license 95 stars 4 forks Activity Star Notifications * Code * Issues 4 * Pull requests 1 * Actions * Projects 0 * Security * Insights More * Code * Issues * Pull requests * Actions * Projects * Security * Insights Foxboron/ssh-tpm-agent This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. master Switch branches/tags [ ] Branches Tags Could not load branches Nothing to show {{ refName }} default View all branches Could not load tags Nothing to show {{ refName }} default View all tags Name already in use A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch? Cancel Create 1 branch 1 tag Code * Local * Codespaces * Clone HTTPS GitHub CLI [https://github.com/F] Use Git or checkout with SVN using the web URL. [gh repo clone Foxbor] Work fast with our official CLI. Learn more about the CLI. * Open with GitHub Desktop * Download ZIP Sign In Required Please sign in to use Codespaces. Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Launching Xcode If nothing happens, download Xcode and try again. Launching Visual Studio Code Your codespace will open once ready. There was a problem preparing your codespace, please try again. Latest commit @Foxboron Foxboron Merge remote-tracking branch 'origin/pull/5' ... 22592f2 Jul 29, 2023 Merge remote-tracking branch 'origin/pull/5' * origin/pull/5: Use $XDG_RUNTIME_DIR or /var/tmp/ by default for socket Log socket path when agent starts 22592f2 Git stats * 25 commits Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time .github/workflows Workaround for missing tag July 28, 2023 22:06 agent Log socket path when agent starts July 29, 2023 22:47 cmd Use $XDG_RUNTIME_DIR or /var/tmp/ by default for socket July 29, 2023 22:56 key Implement Encode and Decode key from pem.Block July 29, 2023 14:42 pinentry Reorganize code for multiple commands July 28, 2023 21:47 signer Reorganize code for multiple commands July 28, 2023 21:47 utils utils: move GetTPM to utils July 29, 2023 00:13 LICENSE rename from tpm-ssh-agent to ssh-tpm-agent July 28, 2023 18:11 README.md Added some more docs July 29, 2023 15:23 go.mod rename from tpm-ssh-agent to ssh-tpm-agent July 28, 2023 18:11 go.sum Added pinentry July 28, 2023 00:04 View code SSH agent for TPM Features Experimental Installation Usage ssh-config License README.md SSH agent for TPM ssh-tpm-agent is a ssh-agent compatible agent that allows keys to be created by the Trusted Platform Module (TPM) for authentication towards ssh servers. TPM sealed keys are private keys created inside the Trusted Platform Module (TPM) and sealed in .tpm suffixed files. They are bound to the hardware they where produced on and can't be transferred to other machines. This allows one to utilize a native client instead of having to side load existing PKCS11 libraries into the ssh-agent and/or ssh client. Features * A working ssh-agent. * Keys created on the TPM, sealed outside of it. * PIN support. * TPM session encryption. Experimental The key format and technical details might change between iterations. Consider this agent experimental. Instead of utilizing the TPM directly, you can use --swtpm or export SSH_TPM_AGENT_SWTPM=1 to create a identity backed by swtpm which will be stored under /var/tmp/ssh-tpm-agent. Note that swtpm provides no security properties and should only be used for testing. Installation The simplest way of installing this plugin is by running the follow go command. go install github.com/Foxboron/ssh-tpm-agent/cmd/...@latest Alternatively download the pre-built binaries. Usage # Create key $ ssh-tpm-keygen Generating a sealed public/private ecdsa key pair. Enter file in which to save the key (/home/fox/.ssh/id_ecdsa): Enter pin (empty for no pin): Enter same pin again: Your identification has been saved in /home/fox/.ssh/id_ecdsa.tpm Your public key has been saved in /home/fox/.ssh/id_ecdsa.pub The key fingerprint is: SHA256:NCMJJ2La+q5tGcngQUQvEOJP3gPH8bMP98wJOEMV564 The key's randomart image is the color of television, tuned to a dead channel. $ cat /home/fox/.ssh/id_ecdsa.pub ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOTOsMXyjTc1wiQSKhRiNhKFsHJNLzLk2r4foXPLQYKR0tuXIBMTQuMmc7OiTgNMvIjMrcb9adgGdT3s+GkNi1g= # Using the socket $ ssh-tpm-agent -l /var/tmp/tpm.sock $ export SSH_AUTH_SOCK="/var/tmp/tpm.sock" ssh git@github.com ssh-config It is possible to use the public keys created by ssh-tpm-keygen inside ssh configurations. The below example uses ssh-tpm-agent and also passes the public key to ensure not all identities are leaked from the agent. Host example.com IdentityAgent $SSH_AUTH_SOCK Host * IdentityAgent /var/tmp/tpm.sock IdentityFile ~/.ssh/id_ecdsa.pub License Licensed under the MIT license. See LICENSE or http://opensource.org/ licenses/MIT About ssh-tpm-agent Topics ssh golang security ssh-agent tpm tpm2 go-tpm Resources Readme License MIT license Activity Stars 95 stars Watchers 5 watching Forks 4 forks Report repository Releases 1 ssh-tpm-agent v0.1.0 Latest Jul 29, 2023 Packages 0 No packages published Contributors 2 * @Foxboron Foxboron Morten Linderud * @stigtsp stigtsp Stig Languages * Go 100.0% Footer (c) 2023 GitHub, Inc. Footer navigation * Terms * Privacy * Security * Status * Docs * Contact GitHub * Pricing * API * Training * Blog * About You can't perform that action at this time.