> It means malware can’t exfiltrate the SSH key from your machine and keep using it
Are you sure about that? Presumably the secret parts of the SSH key are being read into memory at some point, or a RCE could dump the key the same way ssh-tpm-agent does.
Don't rely on a TPM to store secrets. Use a secrets store that can be audited for use and have it generate dynamic, short lived credentials. For SSH, use SSH CAs.
>Are you sure about that? Presumably the secret parts of the SSH key are being read into memory at some point, or a RCE could dump the key the same way ssh-tpm-agent does.
This is not how ssh-tpm-agent works. It does the key signing inside the TPM so you do not have access to the key on the machine itself.
The private key never hits memory or the machine itself.
Are you sure about that? Presumably the secret parts of the SSH key are being read into memory at some point, or a RCE could dump the key the same way ssh-tpm-agent does.
Don't rely on a TPM to store secrets. Use a secrets store that can be audited for use and have it generate dynamic, short lived credentials. For SSH, use SSH CAs.