Your PC's TPM (Trusted Platform Module) can store SSH private keys securely, preventing them from ever being exported or accessed by malware. Unlike keys stored on disk or in memory via ssh-agent, TPM-stored keys never leave the hardware. The approach is more secure than filesystem-based keys, though slightly less portable than a removable hardware token. One gotcha: some BIOS updates wipe the TPM, but workarounds exist. The setup requires specific tools and doesn't work with WSL.
Sort: