Biometric Keys: Secure SSH Keys with Windows Hello

Biometric SSH Keys are securely stored on your device in a trusted execution environment and protected by biometric authentication. They never leave your device and are inaccessible to others, even with unauthorized access to your device.

Termius for Windows allows you to generate Biometric SSH keys within the Trusted Platform Module (TPM). TPM is an isolated hardware subsystem that generates and stores private keys. No one, including Termius or Windows, can export, copy, or access these keys directly.

To establish an SSH connection, Termius requests TPM to sign data using the private key. Whenever this happens, Windows prompts you to authorize access to a key stored in TPM with fingerprint authentication.

Biometric keys don't synchronize with other devices as regular SSH keys because they can't be copied by Termius.

Generate Biometric Key

To generate a Biometric SSH Key, follow these steps:

1. Open Keychain screen.

2. Select Windows Hello on the top toolbar.

3. Click Generate.

Export Key to Host

1. Click Export to host in the context menu.

2. Select host where you would like to copy a public key.

3. If your authorized keys are stored in a custom directory, update the folder path in the Location field and specify the authorized keys Filename.

4. Click Export and Attach at the bottom.

Connect with Biometric Key

Once your key is exported, it attaches to your host in Termius. To connect, go to the Hosts screen and double-click your host.