TPM: Difference between revisions
imported>Erdnaxe Add other vendor |
Added instructions for loading TPM2 keys into ssh-agent |
||
| Line 28: | Line 28: | ||
To tell OpenSSH to use the TPM2 during login, you may add the following line to your <code>~/.ssh/config</code>: | To tell OpenSSH to use the TPM2 during login, you may add the following line to your <code>~/.ssh/config</code>: | ||
<syntaxhighlight> | <syntaxhighlight>PKCS11Provider /run/current-system/sw/lib/libtpm2_pkcs11.so</syntaxhighlight>To load your ssh key into the running <code>ssh-agent</code>, use <code>ssh-add -s</code>:<syntaxhighlight lang="bash"> | ||
ssh-add -s /run/current-system/sw/lib/libtpm2_pkcs11.so | |||
</syntaxhighlight>Note that since OpenSSH 8.9, <code>ssh-agent</code> enforces a PKCS#11 provider whitelist. You may need to start the agent with the <code>-P</code> flag to allow the NixOS library paths:<syntaxhighlight lang="bash"> | |||
ssh-agent -P "/run/current-system/sw/lib/*,/nix/store/*/lib/*" | |||
</syntaxhighlight>For a persistent setup, you can configure the system-wide agent in your <code>configuration.nix</code>: <syntaxhighlight lang="nixos"> | |||
programs.ssh = { | |||
startAgent = true; | |||
agentPKCS11Whitelist = "${config.security.tpm2.pkcs11.package}/lib/*,/run/current-system/sw/lib/*"; | |||
}; | |||
</syntaxhighlight> | </syntaxhighlight> | ||