April 16, 2026
Keys in chips, comments in flames
Put your SSH keys in your TPM chip
Fans cheer built‑in security; skeptics tout $2 dongles; others warn BIOS updates can nuke keys
TLDR: A guide shows how to store SSH login keys in your PC’s built‑in security chip for safer logins. Commenters split: some push cheap hardware tokens, others argue TPMs prove device identity more than they boost security, and many balk at BIOS updates that can erase keys—convenience vs. catastrophe risk.
A new guide says you can lock your server login keys (SSH keys) inside your computer’s built‑in security chip, the TPM, for extra protection. It’s a step up from keeping keys as files, though not as sturdy as a portable hardware key like a YubiKey. The author flags gotchas: some motherboards wipe TPM data during BIOS updates, so back up wisely, and this won’t work on Windows Subsystem for Linux. Cue the comment fireworks: convenience vs. control, built‑in chip vs. plug‑in key, and big questions about what “security” really means.
The hottest take? One user says skip the TPM and grab a $2 open‑source token like Gnuk. Another dreams of a world where all API keys live in TPMs, then slams today’s “steal‑one‑token, get‑everything” reality and worries about speed. YubiKey loyalists drop the classic community guide. Then a contrarian barrels in: TPMs are “for authentication”—basically proving the device is yours—not some magic blanket of security. And the show‑stopper: BIOS updates can wipe your keys, prompting “no thanks” replies and jokes about pressing Update to roll the dice on your digital life. The vibe: TPM fans love the no‑dongle life, hardware‑token purists clutch their keys, and everyone fears the BIOS nuke button.
Key Points
- •The guide shows how to store and use SSH private keys with a TPM via PKCS#11 on Linux, noting it does not work on WSL.
- •TPMs are device-bound and more secure than filesystem storage but less secure than portable HSMs that require physical presence.
- •BIOS updates on some consumer motherboards can wipe TPM contents; the author advises generating SSH keys offline and importing them for backup resilience.
- •Required packages include tpm2-tools, libtpm2-pkcs11, tpm2-abrmd (and tpm2-tss/OpenSC), with steps to join the tss group; tpm2-tools may need recompilation with --with-fapi=no to avoid FAPI errors.
- •A persistent PKCS#11 store (~/.tpm2_pkcs11) is initialized with tpm2_ptool; keys are encrypted in SQLite and loaded into the TPM when used; tokens are added with user/SO PINs prepared without trailing newlines.