Dev.to
5/9/2026

Hardware-backed SSH keys, end to end: YubiKey, PIV, software alternatives, and where SSH CAs fit in
Short summary
YubiKey and hardware-backed SSH keys eliminate the operational fragility of file-based private keys—where passphrase discipline rarely survives daily work—by ensuring signing material never leaves the device. This working guide covers FIDO2 key generation, resident vs. non-resident keys, touch requirements, and when to adopt SSH certificate authorities instead of manual key management. Essential for ops teams retiring password-protected keys without breaking Ansible, rsync, or multi-host deployments.
- •Hardware keys remove the need for passphrase discipline—signing requires physical device presence
- •Choose resident keys (no file secrets) for simple setups; non-resident keys (file + device) when passphrases are needed
- •Disable touch-required only for high-volume operations (Ansible, rsync); SSH CAs replace manual key management at scale
Generated with AI, which can make mistakes.
Is this a good recommendation for you?



