Bringing End-to-End Encrypted AI to Linux with TPM-Backed Passkeys

2026-02-21

When I first learned about Moxie Marlinspike's new project, Confer, I was immediately intrigued. As the creator of the Signal app—the gold standard for encrypted messaging—Moxie has a proven track record of building privacy-focused technology that actually gets used. Confer continues this tradition by offering an end-to-end encrypted AI chat service where your conversations are never stored or used for training, unlike most AI assistants.

What makes Confer truly innovative is its approach to encryption. Instead of passwords or complex key management, it uses passkey encryption—a system where a per-service private key is used to authenticate you to the service. This isn't just for login; it's the foundation of your entire security model. The magic happens through the WebAuthn PRF extension, which allows 32 secret bytes to be derived from your private key and a salt in a deterministic way. These secret bytes can then be used to generate symmetric encryption keys that protect your data entirely on your device. The service provider never has access to your private key, meaning they can't access your conversations even if they wanted to.

Passkeys are already well-supported on macOS and iOS, and Android, where biometric prompts like Face ID and Touch ID allow users to authorize or reject the use of the passkey's underlying private key. On Windows and Linux, however, the story has been more complicated, typically requiring a password manager to manage the keys. That's where things get interesting for Linux users like myself.

Bringing Confer to Linux with TPM and FIDO2

For Linux users who want passkey-based encryption, there's an elegant solution: using your system's Trusted Platform Module (TPM) to protect your passkeys. A TPM is a dedicated hardware chip designed to securely store cryptographic keys and perform operations with them. Because the private key never leaves the TPM, it can't be extracted or transferred to another device, ensuring that your passkeys are truly yours alone.

Enter Vitor Py's tpm-fido2-prf, a FIDO2/WebAuthn platform authenticator for Linux that leverages your system's TPM to protect credential keys. As described in Vitor's blog post, this authenticator works by generating a primary key under the TPM's owner hierarchy, using a random seed and the relying party ID to ensure uniqueness. The private key material is never exposed to the operating system.

The authenticator confirms your presence and authorizes access through biometrics. By default, it uses fprintd to verify your fingerprint, ensuring that only you can unlock your keys. This creates a seamless experience: a single touch of your fingerprint is all it takes to both authenticate and derive the encryption keys for your Confer session.

My Contributions to the Ecosystem

As someone passionate about privacy and open source, I wanted to help make this technology more accessible. I contributed to both Vitor's browser extension and platform authenticator code to improve compatibility and usability.

First, I added support for Brave and Firefox to the browser extension, ensuring that users of these privacy-focused browsers could also leverage the TPM-backed authenticator.

Not everyone has a fingerprint reader, so I also contributed a pull request that allows users to confirm or deny registration and sign-in attempts through a GUI window using the Zenity dialog. This provides a flexible alternative for systems without biometric hardware.

However, we hit a roadblock: while users could register with Confer and sign in, subsequent authentication attempts failed because no PRF output was computed. I dug into the code and contributed a patch that fixed this by properly implementing PRF evaluation during navigator.credentials.get calls, which was essential for Confer's key unlocking feature.

Finally, I addressed an issue in the browser extension where the Relying Party ID (Confer's domain) wasn't being properly provided to the authenticator during navigator.credentials.get. I fixed this in another pull request, ensuring the authentication flow works correctly.

The Result: Secure, Seamless AI on Linux

Thanks to these contributions and the foundational work by Vitor Py, Linux users can now generate and unlock keys with Confer using TPM-protected private key material. Whether you're using Chrome, Chromium, Brave, or Firefox, you can enjoy the same end-to-end encrypted AI experience as users on other platforms, with your data protected by hardware-backed cryptography.

If you're interested in learning more about the WebAuthn standard and its PRF extension, I highly recommend reading "A Tour of WebAuthn" by Adam Langley. It's an excellent deep dive into the technology that makes all of this possible.

The Spirit of Open Source

This journey—from discovering Confer to contributing fixes that enable a better privacy experience on Linux—perfectly illustrates the spirit of open source. No single person built this entire system. Moxie created the vision with Confer and Vitor built the crucial Linux bridge with his TPM authenticator. Vitor's authenticator code is based on Peter Sanford's tpm-fido code that the open source community has contributed to. Through collaboration, we were able to fix the gaps and make it work for more people.