YubiKey SSH Authentication: Stop Trusting Key Files on Disk

I stopped using SSH passwords three years ago. Switched to ed25519 keys, felt pretty good about it. Then my laptop got stolen from a coffee shop — lid open, session unlocked. My private key was sitting right there in ~/.ssh/, passphrase cached in the agent. That’s when I bought my first YubiKey. Why a Hardware Key Beats a Private Key File Your SSH private key lives on disk. Even if it’s passphrase-protected, once the agent unlocks it, it’s in memory. Malware can dump it. A stolen laptop might still have an active agent session. Your key file can be copied without you knowing. A YubiKey stores the private key on the hardware. It never leaves the device. Every authentication requires a physical touch. No touch, no auth. Someone steals your laptop? They still need the physical key plugged in and your finger on it. That’s the difference between “my key is encrypted” and “my key literally cannot be extracted.” Which YubiKey to Get For SSH, you want a YubiKey that supports FIDO2/resident key