In a hardened security architecture, relying solely on cryptographic file keys stored on local disks creates a single point of failure. If a local workstation is ever compromised, those file keys can be exfiltrated. True network sovereignty requires binding your network “Pipes” to a physical asset. By implementing FIDO2/WebAuthn protocols (such as using a YubiKey) directly into your SSH and VPN infrastructure, you ensure that authentication is mechanically impossible without a physical touch on local hardware.
The Power of FIDO2 Resident Keys
Modern OpenSSH (version 8.2 and newer) natively supports FIDO2 security keys via specialized key types like ed25519-sk. When generating a hardware-backed key, the private key handle can be configured as a “resident key” (or discoverable credential) stored directly on the physical security token itself.
Generating a Hardware-Bound Key
To generate a portable, hardware-enforced credential that requires both a localized PIN and a physical touch, use the following terminal command:
ssh-keygen -t ed25519-sk -O resident -O verify-required -C "infrastructure-key"- -t ed25519-sk: Specifies the Ed25519 protocol backed by a security key.
- -O resident: Stores the key handle directly on the hardware token, allowing you to recreate the public/private file structure on any new machine simply by running
ssh-keygen -K. - -O verify-required: Forces user verification by demanding your FIDO2 hardware PIN in addition to the physical touch, establishing true two-factor authentication before a single network packet leaves your machine.
Why File Keys are a Liability
Traditional SSH keys are just text files at rest. If malware scrapes your ~/.ssh/ directory, your credentials are gone. With an -sk key signature, the file on your computer is merely a “key handle.” It is completely useless to an attacker because the actual cryptographic derivation happens inside the physical security chip, triggered only when you physically press the contact pad on the token.