An SSH agent for hardware backed keys on Windows
An SSH Agent for Hardware backed keys on Windows
Ever been jealous of macOS users and their fancy Secure Enclave backed SSH Keys? Or wanted a nice GUI for managing keys like Secretive? nCryptAgent is your answer!
Use any smart card as an SSH key source, and manage them using a nice-ish GUI! Don't have a physical smart card or security key like a Yubikey? No problem -- Use the Microsoft Platform Crypto Provider that is backed by your TPM for hardware backed keys!
Use your WebAuthN authenticator as your SSH key with [email protected]
and [email protected]
key types.
Microsoft Platform Crypto Provider
(PCP)[email protected]
and [email protected]
key types, along with their matching certificatesMicrosoft Smart Card Key Storage Provider
authorized_keys
content to the clipboard and save it to the remote server. Alternatively you can copy the public key's path for use as a command line arg, or opening with another program.You can use the key by configuring your SSH client to use nCryptAgent as its SSH agent. For OpenSSH for Windows and PuTTY this should work automatically, as long as those listeners are enabled in the Config tab. For WSL2 and Cygwin, you will need to set your SSH_AUTH_SOCK
environment variable. The commands for doing this are available in the Config tab.
[email protected]
and [email protected]
keys require OpenSSH 8.4 or higher to use.
OpenSSH has a few specific options for [email protected]
and [email protected]
key types. nCryptAgent supports verify-required
, but unfortunately Windows always demands a touch event if possible, so no-touch-required
has no effect. To use verify-required
, when creating your WebAuthN key select the User Verification Required option. The appropriate options flag will be added to the key when you click the Copy Key button ready for pasting into your authorized_keys
file.
You can create a resident key by selecting the appropriate checkbox when creating the key. Unfortunately the Windows WebAuthN API doesn't support retrieving the required Public Key information from security keys.
If you already have a certificate and key on your smart card, you can skip to Import an existing key, otherwise you will need to create a certificate and key:
tpmvscmgr create /name <Friendly_Name> /AdminKey DEFAULT /pin PROMPT /pinpolicy minlen 4 /generate
where <Friendly_Name>
is a name you choosecertreq
and certutil
to load a certificate onto the smart card, after which you can Add existing nCrypt Key to import your Smart Card credentials into nCryptAgentIf you have a key on your smart card (for instance you have existing credentials on your Yubikey), or have previously created a key using PCP, you can import that key by clicking on the dropdown next to Create Key and selecting Add existing nCrypt key. Select your key from the dropdown after selecting the provider and smart card reader (if required), and enter a name. Click Save and your existing key will be ready for use.
Once you have a key added to nCryptAgent you can use it by configuring your SSH client to use nCryptAgent as its SSH agent. For OpenSSH for Windows and PuTTY this should work automatically, as long as those listeners are enabled in the Config tab. For WSL2 and Cygwin, you will need to set your SSH_AUTH_SOCK
environment variable. The commands for doing this are available in the Config tab.
OpenSSH Authentication Agent
service is stopped in Services
Since ssh-add
does not support adding certificates without a private key, nCryptAgent checks for a matching certificate in its PublicKeys
directory (%AppData%\nCryptAgent\PublicKeys
). If you have an OpenSSH certificate you wish to use, you can either use the Add Cert
button to attach a certificate to the currently selected key, or alternatively place the certificate in the PublicKeys
directory with the correct name. The name format for certificates is <MatchingCertificateFingerprint>-cert.pub
.
For example, if an nCrypt key has a location of %AppData%\nCryptAgent\PublicKeys\deadbeefd530ca2d01b3b74c8641fe29.pub
the matching certificate will be named %AppData%\nCryptAgent\PublicKeys\deadbeefd530ca2d01b3b74c8641fe29-cert.pub
.
windres
which can be obtained by downloading the latest release of llvm-mingw
go mod tidy
windres.exe -i resources.rc -o rsrc.syso -O coff
go build -ldflags "-H=windowsgui" -o build\nCryptAgent.exe
I'll get around to making a proper build script at some point...
If you simply MUST have a software key you can open the configuration file at %AppData%\nCryptAgent\config.json
and add a key with providerName: "Microsoft Software Key Storage Provider"
and set the containerName
to an existing key. You can get a list of existing keys by running certutil -key -user -csp KSP
in a command prompt window.
containerName
lists a location on my local filesystem, what gives?The Platform Crypto Provider
does not actually store the complete key in the TPM, instead it stores a file for loading into the TPM when signing operations are required. The files are specific to each TPM so your key is still non-exportable. @ElMostafaIdrassi has written a nice explanation of it if you'd like more detail.