This is a proof of concept to use the Tkey SSH Agent with RSA keys. It uses a specific RSA signer, with 2048 bits key and SHA512. It is based on the SSH agent written by Tilltis: https://github.com/tillitis/tkey-ssh-agent
Due to hardware limitations, the tkey will consume a private rsa key, load it, encrypt it and store the encrypted key on the host machione. The encryption and signing will be done by Tkey.
Note: After the RSA key has been consumed, you can no longer retrieve it in unecrypted.
For more information, see https://tillitis.se/
- Generate RSA key: ssh-keygen -t rsa-sha2-512 -b 2048 -m PEM (no passphrase support yet)
- start the agent: ./tkey-ssh-agent --port /path/to/device -a /path/to/agent.sock --rsa-key-path /path/to/your/private/key
- Make sure you have built the RSA signer:https://github.com/roemil/rsa-signer, copy the bin to signer/
- Build the SSH agent: make clean && make
- The hardware is unfortunately not optimized for division which the RSA algorithm use a lot, so key generation is slow. Hence we generate keys on the host computer. This makes the Tkey less portable, however, generating keys with Tkey takes more then 1 hour as of now.
This project is based https://github.com/tillitis/tkey-ssh-agent. This repo is licensed to "GNU General Public License v2.0 only". See LICENSE for full license text.
- Encrypt the private rsa file with tkey and store on laptop
- Allow rsa keys to be generated with passphrase.
- Fix the build script :)