I was experiment with tpm2 pkcs11 for ssh key management. The workflow is well documented, but stumpled upon some non obvious ssh config issues.

Initial step is to determine if you have tpm on your system:

#insert

If not, then use another hardware security module (HSM) or smartcard. If tpm is available, then install the required packages ( fedora/centos/redhat ):

dnf install tpm2-pkcs11-tools tpm2-pkcs11

Check your distribution for these or similar packages or build them from source.

Next perform setup of token and key:

tpm2_ptool
...
...

extract public key via the tpm2_pkcs11 library:

ssh-keygen -D /usr/lib64/pkcs11/libtpm2_pkcs11.so | tee my_key.pub
ssh-keygen -D /usr/lib64/pkcs11/libtpm2_pkcs11.so | tee my_key.pub >> ~/.ssh/authorized_keys

Setup ssh

Host [name of connection]
  User [name of user]
  Hostname [ip or url of server]
  PKCS11Provider [path to libtpm2_pkcs11.so file]
  IdentityAgent none
  
Host nice_server
  User my_user
  Hostname 127.0.0.1
  PKCS11Provider /usr/lib64/pkcs11/libtpm2_pkcs11.so
  IdentityAgent none

Links

• Using a TPM for SSH authentication
• tpm2-software tpm2-pkcs11 library ssh doc
• tpm2-software tpm2-pkcs11 library initialize doc
• SSH private key using yubikey or tpm
• PKCS11 usage doc
• SSH with tpm