Put your SSH keys in your TPM chip
Skip to main content Put your SSH keys in your TPM chip! Published: 10-04-2026 19:37 | Author: Remy van Elst | Text only version of this article Table of Contents TPM vs HSM TPM Setup for SSH Creating a token Importing an SSH key into the token Use the SSH key in the TPM I’ve got a long history with hardware security modules, both professionally and for fun. For the longest time, my SSH private key has lived inside a hardware token of some sort, be it the Nitrokey, the Smartcard-HSM or a Yubikey. The private key never leaves the device, you yourself can’t even extract it, neither can malware. It does not live on your filesystem or in an ssh-agent (in memory) and some hardware keys even require a physical touch to use the key. Way more secure than the file ~/.ssh/id_rsa. I…
