Storing SSH keys in TPM (for github and other things)

It would be a TLDR version, if you need more info, go to the links section below.

• If you are using Mac OS - you can use Secretive - generate new keys, use fingerprint for when using keys, store them in secure enclave

• If you are using windows - there’s nCrypt

• If you are using Linux it’s much more interesting. Let’s install this tool & try adding keys. Note if you are adding userpin, you’ll have to enter it every time you push/fetch code in vs code:

sudo apt install libtpm2-pkcs11-tools libtpm2-pkcs11-1
sudo usermod -a -G tss '$(id -nu)'
tpm2_ptool init
tpm2_ptool addtoken --pid=1 --label=my_key --userpin='' --sopin='recovery_password'
tpm2_ptool addkey --label=my_key --userpin='' --algorithm=rsa2048

From here you should update your ~/.ssh/config:

Host github.com
  HostName github.com
  User git
  PKCS11Provider /usr/lib/x86_64-linux-gnu/libtpm2_pkcs11.so.1
  ForwardAgent yes
  PasswordAuthentication no

And if you want for signatures to be working (local repo example .git/config):

[user]
	signingkey = ~/.ssh/signing/key.pub

[commit]
	gpgsign = true
	verbose = true

[tag]
	gpgsign = true

[gpg]
	format = ssh

[gpg.ssh]
	allowedSignersFile = ~/.config/git/allowed_signers

Sources, lots of them:

• TPM + SSH
• Gentoo TPM+SSH
• Github + SSH
• VS-code + SSH
• Vs-code and signing
• Signing commits via ssh
• Github code signing
• Secretive signing
• TPM basics

Troubleshooting

• Github uses .public keys for signing, not private. So it makes no sense to secure generate those.
• for some reason github would not accept public keys generated from TPM. Not sure why.