File-based SSH keys are a single `~/.ssh` leak away from compromise. Hardware security keys with FIDO2 (ed25519-sk) keep your private key locked inside the device, require physical touch to authenticate, and let you carry your identity on a keychain. We tested the top options — from the versatile YubiKey 5 NFC to the budget-friendly Security Key C NFC — to find the best fit for developers, sysadmins, and enterprise teams.
If you're still relying on a file-based SSH private key sitting in ~/.ssh/id_rsa, you're one compromised machine — or one careless git push — away from losing access to every server you manage. Hardware security keys change that. With FIDO2-backed SSH keys (ed25519-sk), your private key never leaves the device.1 The key itself signs the authentication challenge, and it only does so when you physically touch it.
That's the core idea behind "resident keys" and "user presence." Your SSH identity is portable — plug the key into any machine with OpenSSH 8.2+, tap it, and you're in. No copying key files, no worrying about who might have copied them.
Here are the best hardware security keys for SSH right now.
Best for: Developers and sysadmins who want the most protocol flexibility.
The YubiKey 5 NFC is the most versatile hardware key on the market. It supports FIDO2 (ed25519-sk), OpenPGP, and Smart Card (PIV) protocols, which means you can use it for SSH, GPG signing, and even X.509 certificate authentication — all from one device.1 The NFC support also lets you authenticate from a phone or tablet.
It's the PCMag Editors' Choice winner for a reason: it balances capability with ease of use.2 The trade-off is that authentication requires a PIN entry (not biometric), which adds a small step each time you connect.
Best for: Anyone who wants to replace the FIDO2 PIN with a fingerprint scan.
The YubiKey Bio adds a fingerprint sensor on top of standard FIDO2 support. Instead of typing a PIN every time you SSH into a server, you just touch the sensor. It's faster in practice and removes the "what was my PIN again?" friction that can slow down a workflow.
The catch: it only supports FIDO2 — no OpenPGP or PIV — so if you need GPG signing or smart card features, you'll want the YubiKey 5 instead.
Best for: First-time hardware key buyers or teams deploying keys at scale.
The Security Key C NFC strips away the extra protocols (no OpenPGP, no PIV) and focuses on doing FIDO2 and WebAuthn really well at a lower price point. It's the most affordable way to get hardware-backed SSH keys with ed25519-sk.2
If all you need is SSH + WebAuthn (for GitHub, GitLab, or cloud console access), this is the smart buy. You're not paying for features you won't use.
Best for: Government, defense, and regulated industries requiring FIPS 140-2 validation.
The YubiKey 5 FIPS is the same versatile key as the standard YubiKey 5 NFC, but with FIPS 140-2 certification for compliance-bound environments. It supports FIDO2, OpenPGP, and PIV, and meets the cryptographic standards required by US federal agencies and many enterprise security policies.
If you don't need FIPS certification, save the money and go with the standard YubiKey 5 NFC. If you do need it, this is the only option that checks the box.
| Feature | YubiKey 5 NFC | YubiKey Bio | Security Key C NFC | YubiKey 5 FIPS |
|---|---|---|---|---|
| Protocols | FIDO2, PGP, PIV | FIDO2 only | FIDO2, WebAuthn | FIDO2, PGP, PIV |
| Connectivity | USB-A/C + NFC | USB-A/C | USB-A/C + NFC | USB-A/C + NFC |
| Auth method | PIN | Fingerprint | PIN | PIN |
| FIPS certified | No | No | No | Yes |
The shift from file-based keys to hardware-backed keys solves two real problems:
1. Private key theft. A file-based key can be copied by malware, an accidental backup, or a compromised CI/CD pipeline. With FIDO2 resident keys, the private key material is generated inside the security key and never exported.1 Even if an attacker has physical access to the key, they can't extract the key material.
2. Portability without risk. With a hardware key, your SSH identity lives on a device you carry. Plug it into any machine, run ssh-keygen -t ed25519-sk, and you're set. No more copying id_ed25519 files between machines and hoping you remember to delete them.
You'll need OpenSSH 8.2 or later (released February 2020). Most modern Linux and macOS systems ship with it. Windows users can use OpenSSH for Windows (available in Windows 10 1809+).
To generate a hardware-backed SSH key:
ssh-keygen -t ed25519-sk -O resident -O application=ssh:MyKeyNameThe -O resident flag stores the key on the device (so you can use it on any machine). The -O application flag gives it a label so you can manage multiple keys. You'll be prompted to touch your security key and, depending on the model, enter a PIN or scan your fingerprint.
The public key goes into ~/.ssh/authorized_keys on your server as usual. The private key stays on the hardware — always.
If you manage servers, a hardware security key is one of the best upgrades you can make to your SSH workflow. The YubiKey 5 NFC is the most capable all-rounder. The Security Key C NFC is the best value if you only need FIDO2. And if you're in a regulated environment, the YubiKey 5 FIPS is the only compliant choice.
AskBuy earns a small commission if you purchase through the links above — at no extra cost to you. We only recommend products we've researched and verified.
This page was written by the engine and the engine is still on the line. The conversation below picks up where the article stops.
Yes — the picks above are the engine's current verdicts. Ask a sharper version of this question below and you'll get a custom answer with the latest pricing.