I want to secure my Windows SSH Key with Windows Hello (my fingerprint / TPM) instead of a simple passphrase.
I found that OpenSSH can do this since v8.9 ( https://man.openbsd.org/ssh-keygen#FIDO_AUTHENTICATOR ).
Windows 10/11 comes with older Versions though, so I just installed the latest version ( winget install Microsoft.OpenSSH.Beta ).
After that, it kinda works. When I create an new key ( ssh-keygen -t ed25519-sk ) Windows asks me to connect a USB sceurity key. However, I don't get Windows Hello as an option.
My Windows Hello is already set up and works fine, I use it to logon to my system and as WebAuthN key on some websites.
How do I get Windows Hello / my TPM as an option?
Asked
Active
Viewed 2,941 times
5
xsrf
- 171
1 Answers
3
At least as of Windows 11 24H2, ssh-keygen -t ecdsa-sk will work with Windows Hello authentication. Using the ed25519-sk key type did not work at the time of writing.
Additionally, to use a security key (or Windows Hello) from within WSL2 you also need:
export SSH_SK_HELPER=/mnt/c/Windows/System32/OpenSSH/ssh-sk-helper.exe
William Price
- 400