Tillitis TKey

The TKey is an open source hardware and software USB security key that can support use cases such as SSH login, Ed25519 signing, Root of Trust, FIDO2, TOTP, Passkey, and more.

First usage

The TKey identifies with the device signature:

$ lsusb | grep Tillitis

Bus <xyz> Device <xyz>: ID 1207:8887 Tillitis MTA1-USB-V1

and is accessible at a serial port like /dev/ttyACM0. To use the TKey, add yourself to the uucp user group.

It is prefered to use a udev rule for the vendor 1207 and the product 8887 instead that makes the device writable for a user.

Applications

This section describes usage of some available tools.

tkey-ssh-agent

The TKey may authenticate SSH agent requests with tkey-ssh-agent^AUR. To print its public ssh key:

$ tkey-ssh-agent --show-pubkey

An additional user supplied secret (USS) can be provided either with --uss (requiring a pinentry program) or with --uss-file command-line arguments to tkey-ssh-agent.

To start the ssh agent:

$ tkey-ssh-agent --agent-socket $XDG_RUNTIME_DIR/tkey_ssh_agent.sock

tkey-verification

To check if the device is running the firmware by the vendor, the signature can be checked with tkey-verification-bin^AUR that the vendor provides.

$ tkey-verification verify

...
TKey is genuine!