Hardware: a TPM 2.0 module based on Infineon SLB9665 cryptographic processor available in the system as /dev/tpmrm0.
Required software:
# pacman -S tpm2-tools tpm2-pkcs11
Note: the configuration is lost upon system re-installation. Restoring $HOME/.tmp2_pkcs11 from backup did not help; a side effect is that a new key pair has to be generated and all the hosts updated with the new public key.
Add user to tss group then logout to activate the change:
usermod -aG tss user
In order to use the tpm2-pkcs11 library we need to initialize a store which creates a primary object and maps it to a slot. The store defaults to $HOME/.tpm2_pkcs11:
$ tpm2_ptool init
action: Created
id: 1
To create the store in other location, define TPM2_PKCS11_STORE environment variable.
Create a token using the primary object id from previous step and a unique token identifier - label:
$ tpm2_ptool addtoken --pid=1 --label=ssh --sopin='admin-password' --userpin='user-password'
Add the key object under the token:
$ tpm2_ptool addkey --algorithm=rsa2048 --label=ssh --userpin='user-password'
To view all the available algorithms, use
$ tpm2_ptool addkey --help
The following command exports the public key:
$ ssh-keygen -D /usr/lib/pkcs11/libtpm2_pkcs11.so
Login via SSH using the password defined in step 3 for PIN:
$ ssh -I /usr/lib/pkcs11/libtpm2_pkcs11.so some.host.name
Enter PIN for 'ssh':
Optionally, add this key to SSH agent:
ssh-add -s /usr/lib/pkcs11/libtpm2_pkcs11.so
$ tpm2_ptool listtokens --pid 1
$ tpm2_ptool listobjects --label ssh
$ tpm2_ptool rmtoken --label ssh
$ tpm2_ptool changepin --old 'user-password' --new 'new-user-password' --label ssh