STOP! There is a better way.
explains a simpler and more secure way.
Update 2: I have something I think will be better up my sleeve for using the TPM chip with SSH. Stay tuned.
In the mean time, the below works.
Finally, I found out how to use a TPM chip to protect SSH keys.
Thanks to Perry Lorier.
I'm just going to note down those same steps, but with my notes.
I've written about hardware protecting crypto keys and increasing SSH security before:
but this is what I've always been after.
With this solution the SSH key cannot
be stolen. If someone uses this SSH key that means that the machine with the TPM chip
is involved right now. Right now it's not turned off, or disconnected from the network.
Update: you need to delete
Read the rest of this entry »
because otherwise your keys will be migratable. I'm looking into how to either never generating
these files, or making them unusable by having the TPM chip reject them. Update to come.