{"id":17330272,"url":"https://github.com/foxboron/ssh-tpm-agent","last_synced_at":"2026-01-11T22:43:29.568Z","repository":{"id":184317093,"uuid":"671549172","full_name":"Foxboron/ssh-tpm-agent","owner":"Foxboron","description":":computer: :key: ssh-agent for TPMs","archived":false,"fork":false,"pushed_at":"2025-12-26T21:58:16.000Z","size":481,"stargazers_count":551,"open_issues_count":9,"forks_count":32,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-12-28T12:00:13.746Z","etag":null,"topics":["go-tpm","golang","security","ssh","ssh-agent","tpm","tpm2"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Foxboron.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-07-27T15:13:29.000Z","updated_at":"2025-12-28T04:12:52.000Z","dependencies_parsed_at":"2024-02-18T16:27:10.833Z","dependency_job_id":"01b94f10-c204-46f8-8c17-615198c9e616","html_url":"https://github.com/Foxboron/ssh-tpm-agent","commit_stats":null,"previous_names":["foxboron/tpm-ssh-agent","foxboron/ssh-tpm-agent"],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/Foxboron/ssh-tpm-agent","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Foxboron%2Fssh-tpm-agent","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Foxboron%2Fssh-tpm-agent/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Foxboron%2Fssh-tpm-agent/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Foxboron%2Fssh-tpm-agent/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Foxboron","download_url":"https://codeload.github.com/Foxboron/ssh-tpm-agent/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Foxboron%2Fssh-tpm-agent/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28326144,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-11T22:11:01.104Z","status":"ssl_error","status_checked_at":"2026-01-11T22:10:58.990Z","response_time":60,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["go-tpm","golang","security","ssh","ssh-agent","tpm","tpm2"],"created_at":"2024-10-15T14:50:50.400Z","updated_at":"2026-01-11T22:43:29.561Z","avatar_url":"https://github.com/Foxboron.png","language":"Go","readme":"SSH agent for TPM\n=================\n\n`ssh-tpm-agent` is a ssh-agent compatible agent that allows keys to be created\nby the Trusted Platform Module (TPM) for authentication towards ssh servers.\n\nTPM sealed keys are private keys created inside the Trusted Platform Module\n(TPM) and sealed in `.tpm` suffixed files. They are bound to the hardware they\nare produced on and can't be transferred to other machines.\n\nThis allows you to utilize a native client instead of having to side load\nexisting PKCS11 libraries into the ssh-agent and/or ssh client.\n\nThe project uses [TPM 2.0 Key Files](https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html)\nimplemented through the [`go-tpm-keyfiles`](https://github.com/Foxboron/go-tpm-keyfiles) project.\n\n# Features\n\n* A working `ssh-agent`.\n* Create shielded ssh keys on the TPM.\n* Creation of remotely wrapped SSH keys for import.\n* PIN support, dictionary attack protection from the TPM allows you to use low entropy PINs instead of passphrases.\n* TPM session encryption.\n* Proxy support towards other `ssh-agent` servers for fallbacks.\n\n# SWTPM support\n\nInstead of utilizing the TPM directly, you can use `--swtpm` or `export\nSSH_TPM_AGENT_SWTPM=1` to create an identity backed by\n[swtpm](https://github.com/stefanberger/swtpm) which will be stored under\n`/var/tmp/ssh-tpm-agent`.\n\nNote that `swtpm` provides no security properties and should only be used for\ntesting.\n\n## Installation\n\nThe simplest way of installing this plugin is by running the following:\n\n```bash\ngo install github.com/foxboron/ssh-tpm-agent/cmd/...@latest\n```\n\nAlternatively download the [pre-built binaries](https://github.com/Foxboron/ssh-tpm-agent/releases).\n\n# Usage\n\n```bash\n# Create key\n$ ssh-tpm-keygen\nGenerating a sealed public/private ecdsa key pair.\nEnter file in which to save the key (/home/fox/.ssh/id_ecdsa):\nEnter passphrase (empty for no passphrase):\nEnter same passphrase again:\nYour identification has been saved in /home/fox/.ssh/id_ecdsa.tpm\nYour public key has been saved in /home/fox/.ssh/id_ecdsa.pub\nThe key fingerprint is:\nSHA256:NCMJJ2La+q5tGcngQUQvEOJP3gPH8bMP98wJOEMV564\nThe key's randomart image is the color of television, tuned to a dead channel.\n\n$ cat /home/fox/.ssh/id_ecdsa.pub\necdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOTOsMXyjTc1wiQSKhRiNhKFsHJNLzLk2r4foXPLQYKR0tuXIBMTQuMmc7OiTgNMvIjMrcb9adgGdT3s+GkNi1g=\n\n# Using the socket\n$ ssh-tpm-agent -l /var/tmp/tpm.sock\n\n$ export SSH_AUTH_SOCK=\"$(ssh-tpm-agent --print-socket)\"\n\n$ ssh git@github.com\n```\n\n**Note:** For `ssh-tpm-agent` you can specify the TPM owner password using the\ncommand line flags `-o` or `--owner-password`, which are preferred.\nAlternatively, you can use the environment variable\n`SSH_TPM_AGENT_OWNER_PASSWORD`.\n\n### Import existing key\n\nUseful if you want to back up the key to a remote secure storage while using the key day-to-day from the TPM.\n\n```bash\n# Create a key, or use an existing one\n$ ssh-keygen -t ecdsa -f id_ecdsa\nGenerating public/private ecdsa key pair.\nEnter passphrase (empty for no passphrase):\nEnter same passphrase again:\nYour identification has been saved in id_ecdsa\nYour public key has been saved in id_ecdsa.pub\nThe key fingerprint is:\nSHA256:bDn2EpX6XRX5ADXQSuTq+uUyia/eV3Z6MW+UtxjnXvU fox@framework\nThe key's randomart image is:\n+---[ECDSA 256]---+\n|           .+=o..|\n|           o. oo.|\n|          o... .o|\n|       . + ..  ..|\n|        S .   . o|\n|       o * . oo=*|\n|        ..+.oo=+E|\n|        .++o...o=|\n|       .++++. .+ |\n+----[SHA256]-----+\n\n# Import the key\n$ ssh-tpm-keygen --import id_ecdsa\nSealing an existing public/private ecdsa key pair.\nEnter passphrase (empty for no passphrase):\nEnter same passphrase again:\nYour identification has been saved in id_ecdsa.tpm\nThe key fingerprint is:\nSHA256:bDn2EpX6XRX5ADXQSuTq+uUyia/eV3Z6MW+UtxjnXvU\nThe key's randomart image is the color of television, tuned to a dead channel.\n```\n\n### Install user service\n\nSocket activated services allow you to start `ssh-tpm-agent` when it's needed by your system.\n\n```bash\n# Using the socket\n$ ssh-tpm-agent --install-user-units\nInstalled /home/fox/.config/systemd/user/ssh-tpm-agent.socket\nInstalled /home/fox/.config/systemd/user/ssh-tpm-agent.service\nEnable with: systemctl --user enable --now ssh-tpm-agent.socket\n\n$ systemctl --user enable --now ssh-tpm-agent.socket\n\n$ export SSH_AUTH_SOCK=\"$(ssh-tpm-agent --print-socket)\"\n\n$ ssh git@github.com\n```\n\n\n### Proxy support\n\n```bash\n# Start the usual ssh-agent\n$ eval $(ssh-agent)\n\n# Create a strong RSA key\n$ ssh-keygen -t rsa -b 4096 -f id_rsa -C ssh-agent\n...\nThe key fingerprint is:\nSHA256:zLSeyU/6NKHGEvyZLA866S1jGqwdwdAxRFff8Z2N1i0 ssh-agent\n\n$ ssh-add id_rsa\nIdentity added: id_rsa (ssh-agent)\n\n# Print looonnggg key\n$ ssh-add -L\nssh-rsa AAAAB3NzaC1yc[...]8TWynQ== ssh-agent\n\n# Create key on the TPM\n$ ssh-tpm-keygen -C ssh-tpm-agent\nGenerating a sealed public/private ecdsa key pair.\nEnter file in which to save the key (/home/fox/.ssh/id_ecdsa):\nEnter passphrase (empty for no passphrase):\nConfirm passphrase:\nYour identification has been saved in /home/fox/.ssh/id_ecdsa.tpm\nYour public key has been saved in /home/fox/.ssh/id_ecdsa.pub\nThe key fingerprint is:\nSHA256:PoQyuzOpEBLqT+xtP0dnvyBVL6UQTiQeCWN/EXIxPOo\nThe key's randomart image is the color of television, tuned to a dead channel.\n\n# Start ssh-tpm-agent with a proxy socket\n$ ssh-tpm-agent -A \"${SSH_AUTH_SOCK}\" \u0026\n\n$ export SSH_AUTH_SOCK=\"$(ssh-tpm-agent --print-socket)\"\n\n# ssh-tpm-agent is proxying the keys from ssh-agent\n$ ssh-add -L\nssh-rsa AAAAB3NzaC1yc[...]8TWynQ== ssh-agent\necdsa-sha2-nistp256 AAAAE2VjZHNhLXNo[...]q4whro= ssh-tpm-agent\n```\n\n### ssh-tpm-add\n\n```bash\n$ ssh-tpm-agent --no-load \u0026\n2023/08/12 13:40:50 Listening on /run/user/1000/ssh-tpm-agent.sock\n\n$ export SSH_AUTH_SOCK=\"$(ssh-tpm-agent --print-socket)\"\n\n$ ssh-add -L\nThe agent has no identities.\n\n$ ssh-tpm-add $HOME/.ssh/id_ecdsa.tpm\nIdentity added: /home/user/.ssh/id_ecdsa.tpm\n\n$ ssh-add -L\necdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJCxqisGa9IUNh4Ik3kwihrDouxP7S5Oun2hnzTvFwktszaibJruKLJMxHqVYnNwKD9DegCNwUN1qXCI/UOwaSY= test\n```\n\n### Create and Wrap private key for client machine on remote server\n\nOn the client side create one a primary key under an hierarchy. This example\nwill use the owner hierarchy with an SRK.\n\nThe output file `srk.pem` needs to be transferred to the remote end which\ncreates the key. This could be done as part of client provisioning.\n\n```bash\n$ tpm2_createprimary -C o -G ecc -g sha256 -c prim.ctx -a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda' -f pem -o srk.pem\n```\n\nOn the remote end we create a p256 ssh key, with no password, and wrap it with\n`ssh-tpm-keygen` with the `srk.pem` from the client side.\n\n```bash\n$ ssh-keygen -t ecdsa -b 256 -N \"\" -f ./ecdsa.key\n# OR with openssl\n$ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -out ecdsa.key\n\n# Wrap with ssh-tpm-keygen\n$ ssh-tpm-keygen --wrap-with srk.pub --wrap ecdsa.key -f wrapped_id_ecdsa\n```\n\nOn the client side we can unwrap `wrapped_id_ecdsa` to a loadable key.\n\n```bash\n$ ssh-tpm-keygen --import ./wrapped_id_ecdsa.tpm -f id_ecdsa.tpm\n$ ssh-tpm-add id_ecdsa.tpm\n```\n\n### ssh-tpm-hostkey\n\n`ssh-tpm-agent` also supports storing host keys inside the TPM.\n\n```bash\n$ sudo ssh-tpm-keygen -A\n2023/09/03 17:03:08 INFO Generating new ECDSA host key\n2023/09/03 17:03:08 INFO Wrote /etc/ssh/ssh_tpm_host_ecdsa_key.tpm\n2023/09/03 17:03:08 INFO Generating new RSA host key\n2023/09/03 17:03:15 INFO Wrote /etc/ssh/ssh_tpm_host_rsa_key.tpm\n\n$ sudo ssh-tpm-hostkeys --install-system-units\nInstalled /usr/lib/systemd/system/ssh-tpm-agent.service\nInstalled /usr/lib/systemd/system/ssh-tpm-agent.socket\nInstalled /usr/lib/systemd/system/ssh-tpm-genkeys.service\nEnable with: systemctl enable --now ssh-tpm-agent.socket\n\n$ sudo ssh-tpm-hostkeys --install-sshd-config\nInstalled /etc/ssh/sshd_config.d/10-ssh-tpm-agent.conf\nRestart sshd: systemd restart sshd\n\n$ systemctl enable --now ssh-tpm-agent.socket\n$ systemd restart sshd\n\n$ sudo ssh-tpm-hostkeys\necdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCLDH2xMDIGb26Q3Fa/kZDuPvzLzfAH6CkNs0wlaY2AaiZT2qJkWI05lMDm+mf+wmDhhgQlkJAHmyqgzYNwqWY0= root@framework\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAoMPsv5tEpTDFw34ltkF45dTHAPl4aLu6HigBkNnIzsuWqJxhjN6JK3vaV3eXBzy8/UJxo/R0Ml9/DRzFK8cccdIRT1KQtg8xIikRReZ0usdeqTC+wLpW/KQqgBLZ1PphRINxABWReqlnbtPVBfj6wKlCVNLEuTfzi1oAMj3KXOBDcTTB2UBLcwvTFg6YnbTjrpxY83Y+3QIZNPwYqd7r6k+e/ncUl4zgCvvxhoojGxEM3pjQIaZ0Him0yT6OGmCGFa7XIRKxwBSv9HtyHf5psgI+X5A2NV2JW2xeLhV2K1+UXmKW4aXjBWKSO08lPSWZ6/5jQTGN1Jg3fLQKSe7f root@framework\n\n$ ssh-keyscan -t ecdsa localhost\n# localhost:22 SSH-2.0-OpenSSH_9.4\nlocalhost ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCLDH2xMDIGb26Q3Fa/kZDuPvzLzfAH6CkNs0wlaY2AaiZT2qJkWI05lMDm+mf+wmDhhgQlkJAHmyqgzYNwqWY0=\n```\n\n# ssh-config\n\nIt is possible to use the public keys created by `ssh-tpm-keygen` inside ssh\nconfigurations.\n\nThe below example uses `ssh-tpm-agent` and also passes the public key to ensure\nnot all identities are leaked from the agent.\n\n```sshconfig\nHost example.com\n    IdentityAgent $SSH_AUTH_SOCK\n\nHost *\n    IdentityAgent /run/user/1000/ssh-tpm-agent.sock\n    IdentityFile ~/.ssh/id_ecdsa.pub\n```\n\n## License\n\nLicensed under the MIT license. See [LICENSE](LICENSE) or https://opensource.org/licenses/MIT\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffoxboron%2Fssh-tpm-agent","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffoxboron%2Fssh-tpm-agent","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffoxboron%2Fssh-tpm-agent/lists"}