Biometric Keys: Secure SSH Keys with Windows Hello
Biometric SSH Keys are securely stored on your device in a trusted execution environment and protected by biometric authentication. They never leave your device and are inaccessible to others, even with unauthorized access to your device.
Termius for Windows allows you to generate Biometric SSH keys within the Trusted Platform Module (TPM). TPM is an isolated hardware subsystem that generates and stores private keys. No one, including Termius or Windows, can export, copy, or access these keys directly.
To establish an SSH connection, Termius requests TPM to sign data using the private key. Whenever this happens, Windows prompts you to authorize access to a key stored in TPM with fingerprint authentication.
Biometric keys don't synchronize with other devices as regular SSH keys because they can't be copied by Termius.
Generate Biometric Key
To generate a Biometric SSH Key, follow these steps:
Open
Keychain
screen.Select
Windows Hello
on the top toolbar.Click
Generate
.
Export Key to Host
Click
Export to host
in the context menu.Select host
where you would like to copy a public key.If your authorized keys are stored in a custom directory, update the folder path in the
Location
field and specify the authorized keysFilename
.Click
Export and Attach
at the bottom.
Connect with Biometric Key
Once your key is exported, it attaches to your host in Termius. To connect, go to the Hosts
screen and double-click your host.