Comment by burnt-resistor
5 months ago
This isn't such a great idea for personal SSH or GPG keys that should be locked away in physical hardware thing that need to be moved to other devices/machines. What security processors are great for is corporate machine, system/service, and user key management IdM/MDM processes that need secret storage.
Furthermore, with portable devices like Yubikey it's possible to create a master Certify-only GPG key where the sub Signature/Encryption/Authentication-subkeys live on the Yubikey. The encrypted C private key part with the S/E/A stubs still needs to be backed-up to some durable, versioned storage that isn't tied to one device.
Finally, use GPG for SSH. And definely avoid file-based SSH local private key management for wherever possible for anything substantial because it doesn't scale well.
> This isn't such a great idea for personal SSH or GPG keys that should be locked away in physical hardware thing that need to be moved to other devices/machines
I would change this: it’s great for personal usage BUT you should always use n>1 keys to avoid being locked out. For example, using the Secure Enclave for your daily use is fine but you’d want to have, say, a FIDO2 hardware key setup so if your laptop fails or is reset you can get into anything where you use that key.