Hacker News new | ask | show | jobs
by lights0123 66 days ago
I would love a world where I could put all my API keys in the TPM so malware couldn't gain persistent access to services after wiping my computer. This would be so easy if more providers used asymmetric keys, like through SSH or mTLS. Unfortunately, many don't, which means that stealing a single bearer token gives full access to services.

There's also the TPM speed issue. My computer takes ~500ms to sign with an ECC256 key with the TPM, which starts to become an issue when running scripts that use git operations in serial. This is a recurring problem that people tend to blame on export controls: https://stiankri.substack.com/p/tpm-performance
2 comments
lokar 66 days ago
In some cases there is a work-around for bearer tokens. If they allow key/cert login to generate the token (either directly, or via oath), and the token can be generated with a short lifetime, you can build something pretty safe (certainly safer then having a not-expiring, or long TTL token in a wallet).
link
convolvatron 66 days ago
apologies for asking this question here instead of actually doing the research, but it always seemed to be that while putting keys in a secure environment would help against leakage of the private bits, there really isn't a great story around making sure than only authorized requests can be signed. is this a stupid concern?
link
justincormack 66 days ago
Yubikey can require touch, and Secretive for Apple Secure enclave can require touch with fingerprint id. Some people disable these, it depends exactly on your use case.
link
akdev1l 66 days ago
You don’t need Secretive, there is actually Apple native way

I put my ssh keys into the Mac’s TPM and now it asks for a password/touch ID when I use it.

Unfortunately I forget what commands I used

link
convolvatron 66 days ago
yes, but what's to stop a malicious actor from intercepting a signature request and replacing its own contents in place of the legitimate one. yes you would find out when your push was rejected, but that would be a bit late.
link
guipsp 66 days ago
It is not a stupid concern, butt there is architecture around making sure you can't just save a request for later and replay it
link