Blargh

Not long after getting my TPM chip to protect SSH keys in a recent blog post , it started to become obvious that OpenCryptoKi was not the best solution. It's large, complicated, and, frankly, insecure. I dug in to see if I could fix it, but there was too much I wanted to fix, and too many features I didn't need. So I wrote my own. It's smaller, simpler, and more secure. This post is about this new solution. Why not Opencryptoki? It generates at least some keys in software. As I've explained earlier, I want to generate the keys in hardware . It generates migratable keys. This is hardcoded, and some people obviously want migratable keys (for backup purposes). So a fix would have to involve supporting both. Opencryptoki has no way to send such parameters from the command line key generator to the PKCS11 library. So not only would I have to implement the setting , but the whol...

A Hardware Security Module (HSM) is any hardware that you can use for crypto operations without revealing the crypto keys. Specifically I'm referring to the Yubikey NEO and TPM chips , but it should apply to other kinds of special hardware that does crypto operations. I'll refer to this hardware as the "device" as the general term, below. Some background When describing the Yubikey NEO I'm specifically referring to its public key crypto features that I've previously blogged about, that enable using Yubikey NEO for GPG and SSH , not its OTP generating features. To generate keys for these devices you have two options. Either you tell the device to generate a key using a built in random number generator , or generate the key yourself and "import" it to the device. In either case you end up with some handle to the key, so that you command the device to do a crypto operation using the key with a given handl...

STOP! There is a better way. this post explains a simpler and more secure way. Update 2: I have something I think will be better up my sleeve for using the TPM chip with SSH. Stay tuned. In the mean time, the below works. Finally, I found out how to use a TPM chip to protect SSH keys. Thanks to Perry Lorier . I'm just going to note down those same steps, but with my notes. I've written about hardware protecting crypto keys and increasing SSH security before: GPG and SSH with Yubikey NEO Benchmarking TPM backed SSL TPM backed SSL SSH certificates but this is what I've always been after. With this solution the SSH key cannot be stolen. If someone uses this SSH key that means that the machine with the TPM chip is involved right now. Right now it's not turned off, or disconnected from the network. Update: you need to delete /var/lib/opencryptoki/tpm/your-username/*.pem , because otherwi...