This article describes the "Store on Device" toggle in the FIDO2 keygen form.
Enabling this toggle stores the generated SSH key on your FIDO2 device as a discoverable credential (also known as a resident key). After generation, you can import such keys in another Termius app or use it in OpenSSH without providing a private key file.
UX and Security
With all other parameters equal, such keys are less secure than the keys not stored on the FIDO2 device. In Termius, stored on device keys and not stored ones have the same UX because stored on device keys are also added to the Termius Keychain, and if you enable the Sync keys and identities setting, they are synced to all your devices.
To discover keys on the device, each new stored on the device key must have a unique set of extra options: key type, User ID, and application. Any key with the same set of extra options will be overridden.
The User ID can to provided in the keygen form, and the application is set by the Termius app to ssh:termius.
Why is it disabled on my key?
The "Store on Device" can be disabled for your key because storing SSH keys on the FIDO device requires enabling a PIN code on your FIDO2 device. To learn more about FIDO2 Pin Codes on Yubikey, please follow this article.
Was this article helpful?
Articles in this section
- How can I enable Split View?
- What does "Store on Device" mean in FIDO2 key generation?
- How to add ssh port forwarding commands (-L, -R, -D) to Termius
- What's the "We've sent you an email to approve the login for your IP address" error?
- How do I cancel the trial period?
- What happens when my Pro subscription expires?
- How to adjust text size?
- How can I request a refund?
- Can the mobile ('strip') keyboard be customized?
- How does Termius know a password / encryption passphrase was leaked?