Hardware backed SSH keys: ssh-tpm-agent

SSH keys are an important part of system administration as they give access to remote systems. While openssh supports the PKCS11 interface, and yubikeys through the sk key types, they introduce challenges such as acquiring additional hardware, or introducing external code into sensitive processes. TPM are widely available hardware devices that allows key creating, signing and encryption operations on a separate hardware, however they do not have native supported by the openssh, and similar projects.

ssh-tpm-agent implements support for TPM wrapped SSH keys through the ssh agent interface. This allows a clear process separation for the keys, while ensuring no new support is required in the openssh project. The agent has support for RSA and ECDSA keys, while also having additional features like host keys, proxy support for additional agents, wrapping of existing keys and import of remotely created keys.

In this talk we will take a look at how the agent works, how the TPM is capable of preventing key extraction, and the other features available in the agent.