On 16/06/2025 12:32, M?rton Gunyh? wrote:> This is probably a very naive question, but I am trying to figure out > if I would be able to unlock my private key using my laptop's > fingerprint reader instead of typing in the passphrase.What kind of laptop? I believe this works out-of-the-box using macOS keychain, but I don't know about Linux / *BSD / Windows.> Am I asking for nonsense? Is it even possible to use a fingerprint as > an encryption key, or is it only suitable for matching against a > stored value (which I guess what PAM is doing)?A fingerprint is never used as an encryption key. For these sorts of applications (such as passkeys on your phone), the private key is stored in a secure enclave, and the secure enclave permits crypto operations using that key when the appropriate fingerprint or PIN is presented to it. Hence there's quite a lot of integration required. For a self-contained solution which is platform-agnostic look at Yubikey Bio. The readily-available FIDO version should work with SSH using U2F keys (ecdsa_sk). There's supposed to be a smartcard version too, but I don't see it for sale on the store.
?On 2025-06-16 20:57, Brian Candler wrote:> What kind of laptop? I believe this works out-of-the-box using macOS > keychain, but I don't know about Linux / *BSD / Windows.I'm using a Framework 13 laptop with Fedora Linux. For example, when I run a command as sudo, it prompts me for the fingerprint, and this works well. The sudo fingerprint auth is through PAM AFAIK.> A fingerprint is never used as an encryption key. ... The private key > is stored in a secure enclave, and the secure enclave permits crypto > operations using that key when the appropriate fingerprint or PIN is > presented to it. Hence there's quite a lot of integration required.I see, makes sense. I guess OpenSSH doesn't have this integration on Linux?> For a self-contained solution which is platform-agnostic look at > Yubikey Bio. The readily-available FIDO version should work with SSH > using U2F keys (ecdsa_sk).The Yubikey looks alright, but I would like to use the built-in fingerprint reader. I tried to? create a key with ssh-keygen -t ecdsa-sk but that just says "Key enrollment failed: device not found".