Back to feed
Dev.to
Dev.to
5/9/2026
Hardware-backed SSH keys, end to end: YubiKey, PIV, software alternatives, and where SSH CAs fit in

Hardware-backed SSH keys, end to end: YubiKey, PIV, software alternatives, and where SSH CAs fit in

Short summary

YubiKey and hardware-backed SSH keys eliminate the operational fragility of file-based private keys—where passphrase discipline rarely survives daily work—by ensuring signing material never leaves the device. This working guide covers FIDO2 key generation, resident vs. non-resident keys, touch requirements, and when to adopt SSH certificate authorities instead of manual key management. Essential for ops teams retiring password-protected keys without breaking Ansible, rsync, or multi-host deployments.

  • Hardware keys remove the need for passphrase discipline—signing requires physical device presence
  • Choose resident keys (no file secrets) for simple setups; non-resident keys (file + device) when passphrases are needed
  • Disable touch-required only for high-volume operations (Ansible, rsync); SSH CAs replace manual key management at scale

Generated with AI, which can make mistakes.

Is this a good recommendation for you?

Explore more