This article is currently an experimental machine translation and may contain errors. If anything is unclear, please refer to the original Chinese version. I am continuously working to improve the translation.
I’ve always felt uneasy keeping SSH private keys as plain files in ~/.ssh. If any software has a vulnerability—or worse, if you accidentally run malicious code **(don’t be too confident it can’t happen to you—sometimes a simple typo is all it takes to execute malicious scripts without realizing it)**—those unprotected SSH keys can easily be stolen.
I’ve considered buying a hardware security key, but carrying a physical token everywhere is inconvenient, and given how small they are, especially for someone like me who’s terrible at keeping things organized, they’re easy to lose.
On Android and iOS, apps like Termius can leverage the OS’s built-in Keystore to ensure keys are stored securely in hardware, never leaving the device.
Now that most laptops come with TPM (Trusted Platform Module) chips, it should theoretically be possible to use Windows CryptoAPI to lock SSH private keys inside the TPM for secure authentication.
After some research and trial-and-error (it turned out to be trickier than expected—documentation and guides are scarce), I finally got it working. Here’s my setup, documented for future reference.
Prerequisites:
- Windows 10/11 operating system
- Hardware supporting TPM 2.0 (check via
tpm.msc; most modern devices support it)
The feature I ended up using is Microsoft’s Virtual Smart Card (vSC). Microsoft now recommends Windows Hello for Business (WHfB) instead, but for this use case, WHfB adds unnecessary complexity compared to vSC. So for now, vSC remains the simpler choice.
For more on virtual smart card security, see Microsoft’s security evaluation guide and technical overview.
Setup Steps:
Run the following command in PowerShell to create a virtual smart card (think of it as a built-in hardware token).
You’ll be prompted to set a PIN for the virtual smart card.
1
tpmvscmgr.exe create /name vSC-SSH-PROD /pin PROMPT /adminkey random /generate /attestation AIK_AND_CERT
Run the next command to generate a certificate inside the TPM. Replace
<YOUR_NAME_HERE>with your name.1
New-SelfSignedCertificate -Subject "CN=<YOUR_NAME_HERE>" -KeyAlgorithm RSA -KeyLength 2048 -Provider "Microsoft Smart Card Key Storage Provider" -CertStoreLocation "Cert:\CurrentUser\My" -NotAfter (Get-Date).AddMonths(60)
Different TPMs support different cryptographic algorithms. Mine, for example, doesn’t support RSA 4096-bit or Ed25519. But RSA 2048-bit is still considered secure enough for now.
You can verify the certificate was created by opening
certmgr.mscand checking under Personal > Certificates.Download and install WinCryptSSHAgent. Once running, you should see your public key under Show Public Keys. (And no, you can’t export the private key—nobody, not even you, can access it directly.)
At this point, copy the public key to your server.
The tool supports popular SSH clients like
Git for Windows,Putty, andXshell. Follow the instructions in its README (and consider enabling auto-start on boot), and you’re all set for secure authentication.
Enter PIN to unlock vSC
Authentication successful
That’s it—setup complete. Another long-standing security concern finally resolved.
This article is licensed under the CC BY-NC-SA 4.0 license.
Author: lyc8503, Article link: https://blog.lyc8503.net/en/post/ssh-with-tpm/
If this article was helpful or interesting to you, consider buy me a coffee¬_¬
Feel free to comment in English below o/