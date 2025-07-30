Version: 16.x

Deploying Machine ID on Linux (TPM)

This page explains how to deploy Machine ID on a Linux host, and use the secure identify of the onboard TPM 2.0 chip for authenticating with the Teleport cluster.

The tpm join method requires a valid Teleport Enterprise license to be installed on the cluster's Auth Service.

The tpm join method is a secure way for Bots and Agents to authenticate with the Teleport Auth Service without using any shared secrets. Instead of using a shared secret, the unique identity of the host's Trusted Platform Module (TPM) and public key cryptography is used to authenticate the host.

In environments where there is no other form of identity available to machines, e.g on-prem, this is the most secure method for joining. It avoids the need to distribute a shared secret as is needed for the token join method.

A Trusted Platform Module (TPM) is a secure, physical cryptoprocessor that is installed on a host. TPMs can store cryptographic material and perform a number of cryptographic operations, without exposing the cryptographic material to the operating system. Each TPM has a unique key pair burned-in known as the Endorsement Key (EK). This key does not change, even if the host operating system is reinstalled.

Some TPMs also contain an X.509 certificate for this key pair that is signed by the manufacturer's CA. This is known as the EK Certificate (EKCert). This certificate can be used by the TPM to prove to a third-party (who trusts the manufacturer's CA) that the TPM is genuine and abides by the TPM specification.

When using the tpm join method, you must first query the TPM's public key and then create a join token that explicitly allows this public key. To list information about the detected TPM, run the teleport tpm identify command.

If you have a large number of hosts, it may make sense to use automation tooling such as Ansible to query the TPMs across your fleet and then generate join tokens.

warning The tpm join method is currently not compatible with FIPS 140-2.

A running Teleport cluster version 16.5.12 or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

The tctl admin tool and tsh client tool. Visit Installation for instructions on downloading tctl and tsh .

To check that you can connect to your Teleport cluster, sign in with tsh login , then verify that you can run tctl commands using your current credentials. For example: teleport.example.com --user= [email protected] tsh login --proxy=--user= tctl status tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

, then verify that you can run commands using your current credentials. For example: command, you can use your current credentials to run subsequent commands from your workstation. If you host your own Teleport cluster, you can also run commands on the computer that hosts the Teleport Auth Service for full permissions. A Linux host that you wish to install Machine ID onto, with a TPM2.0 installed.

A Linux user on that host that you wish Machine ID to run as. In the guide, we will use teleport for this.

This step is completed on the Linux host.

First, tbot needs to be installed on the VM that you wish to use Machine ID on.

Download the appropriate Teleport package for your platform:

To install a Teleport Agent on your Linux server:

The easiest installation method, for Teleport versions 16.5 and above, is the cluster install script. It will use the best version, edition, and installation mode for your cluster.

Assign teleport.example.com:443 to your Teleport cluster hostname. This should contain you cluster hostname and port, but not the scheme (https://). Run your cluster's install script: curl "https:// example.teleport.sh:443 /scripts/install.sh" | sudo bash

On older Teleport versions:

Assign edition to one of the following, depending on your Teleport edition: Edition Value Teleport Enterprise Cloud cloud Teleport Enterprise (Self-Hosted) enterprise Teleport Community Edition oss Get the version of Teleport to install. If you have automatic agent updates enabled in your cluster, query the latest Teleport version that is compatible with the updater: TELEPORT_DOMAIN= example.teleport.com TELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/automaticupgrades/channel/default/version | sed 's/v//')" Otherwise, get the version of your Teleport cluster: TELEPORT_DOMAIN= example.teleport.com TELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/ping | jq -r '.server_version')" Install Teleport on your Linux server: curl https://cdn.teleport.dev/install.sh | bash -s ${TELEPORT_VERSION} edition The installation script detects the package manager on your Linux server and uses it to install Teleport binaries. To customize your installation, learn about the Teleport package repositories in the installation guide.

If the user that will run tbot is not root , you will also need to configure Linux to allow the user to access the TPM device.

The simplest way to solve this is to check if your distro ships with the tss group and assign it the user. If that is not possible, or you are looking for a different solution, we recommend creating udev rules similar to the ones shipped by the TPM2 Software Stack.

Next, you need to create a Bot. A Bot is a Teleport identity for a machine or group of machines. Like users, bots have a set of roles and traits which define what they can access.

Create bot.yaml :

kind: bot version: v1 metadata: name: example spec: roles: []

Make sure you replace example with a unique, descriptive name for your Bot.

Use tctl to apply this file:

tctl create bot.yaml

With the Bot created, we now need to create a token. The token will be used by tbot to authenticate as the Bot to the Teleport cluster.

First, you need to determine the characteristics of the TPM on the host that you wish to use Machine ID on. These characteristics will then be used within the allow rules of the join token to grant access to this specific host.

On the machine, run tbot tpm identify :

tbot tpm identify TPM Information EKPub Hash: 6c5aada1c5abee6d869369a0example2fd2beb41c850d3f0227f029c4fffc4ba EKCert Detected: true EKCert Serial: 5e 💿 5f:8e

Take the long hexadecimal string after EKPub Hash and assign it to ek-public-hash . This uniquely identifies this TPM and will be used in the join token.

If in the previous step, EKCert Detected was false , then you can disregard this section.

If in the previous step, EKCert Detected was true , then it is recommended to obtain the manufacturer's CA certificate. This will allow the TPM to be validated as legitimately manufactured as part of the join process.

Instructions for obtaining the EKCert CA will vary from TPM to TPM. Consult your TPM's documentation for more information or contact your supplier.

Create a file named bot-token.yaml :

kind: token version: v2 metadata: name: my-bot-token spec: roles: [ Bot ] join_method: tpm bot_name: my-bot tpm: ekcert_allowed_cas: - | -----BEGIN CERTIFICATE----- ... CA Certificate Data ... -----END CERTIFICATE----- allow: - description: "example-server-100" ek_public_hash: ek-public-hash

If your TPM includes an EKCert and you have obtained the manufacturer's CA, replace the ekcert_allowed_cas section with the PEM wrapped CA certificate. Otherwise, remove this section.

If you have multiple hosts that you wish to authenticate as the same Bot, you can add additional rules the allow list, one for each host.

Apply this to your Teleport cluster using tctl :

tctl create -f bot-token.yaml

Create /etc/tbot.yaml :

version: v2 proxy_server: example.teleport.sh:443 onboarding: join_method: tpm token: my-bot-token storage: type: directory path: /var/lib/teleport/bot outputs: []

Replace:

example.teleport.sh:443 with the address of your Teleport Proxy.

The tbot service requires a way to store its state, such as internal credentials, across restarts. This is known as the storage destination.

For this example, we will use the directory /var/lib/teleport/bot .

As this directory will store the bots sensitive credentials, it is important to protect it. To do this, you will configure the directory to only be accessible to the Linux user which tbot will run as.

Execute the following, replacing teleport with the Linux user that you will run tbot as:

sudo mkdir -p /var/lib/teleport/bot sudo chown teleport:teleport /var/lib/teleport/bot

By default, tbot will run in daemon mode. However, this must then be configured as a service within the service manager on the Linux host. The service manager will start tbot on boot and ensure it is restarted if it fails. For this guide, systemd will be demonstrated but tbot should be compatible with all common alternatives.

Use tbot install systemd to generate a systemd service file:

sudo tbot install systemd \ --write \ --config /etc/tbot.yaml \ --user teleport \ --group teleport \ --anonymous-telemetry

Ensure that you replace:

teleport with the name of Linux user you wish to run tbot as.

with the name of Linux user you wish to run as. /etc/tbot.yaml with the path to the configuration file you have created.

You can omit --write to print the systemd service file to the console instead of writing it to disk.

--anonymous-telemetry enables the submission of anonymous usage telemetry. This helps us shape the future development of tbot . You can disable this by omitting this.

Next, enable the service so that it will start on boot and then start the service:

sudo systemctl daemon-reload sudo systemctl enable tbot sudo systemctl start tbot

Check the service has started successfully:

sudo systemctl status tbot

You have now prepared the base configuration for tbot . At this point, it identifies itself to the Teleport cluster and renews its own credentials but does not output any credentials for other applications to use.

Follow one of the access guides to configure an output that meets your access needs.