Smartcard Authentication - Secure & Easy

SSH-Authentification with private keys from a TPM

A Trusted Platform Modul works almost like a Smart Card. The main difference is that a TPM is soldered to your motherboard.

In order to use a TPM for Authentication with SSH, two prerequisites are needed:

  1. The TPM must be activated within your BIOS.
  2. At least one virtual Smart Card must be created that uses your TPM as a secure storage for prinvate keys.

The following command will create a virtual Smart Cards under WIndows 10/11 (administrator rights needed):

tpmvscmgr.exe create /name TPM-Card /pin prompt /puk prompt /pinpolicy minlen 6 /adminkey random /generate

The virtual smart card will be empty. One way to store a private key into such a Smart card is to import a PKCS#12 file. But Windows will import private keys into a Smart Card only if the following values were set within the registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider]
"AllowPrivateSignatureKeyImport"=dword:1
"AllowPrivateExchangeKeyImport"=dword:1

When these values have been set a PKCS#12-file can be imported with:

certutil -csp "Microsoft Base Smart Card Crypto Provider" -importpfx cert-plus-key.p12
You will find explanations on the Internet on how to create a PKCS#12-file containing a private key and a self signed certificate with OpenSSL.

Pageant.exe will use the private key only, so use whatever certificate you like.

For testing purposes you migth use the demo-keys from the download area.