@jpmens I’m not surprised by that.I suspect that the security trade off warrants it, especially for headless servers to have the private part of the key in hardware that it can’t be extracted from.Maybe not ideal for interactive use.But could be better if TPM key didn’t have a passphrase requirement and a local file did require a passphrase.Assuming corporate security scans all keys and flags any without a passphrase on them.
