I’ve been digging into hardware-backed keys (ATECC608B, TPM, etc.) in other contexts, and I’m trying to understand where they do or don’t fit in election infrastructure.
Specifically, the property I’m focused on is non-extractability — the private key never leaves the device, so even under compromise you don’t end up with a reusable credential, just the ability to sign while the system is controlled.
In other domains (SSH, service identity), that seems to change the persistence side of compromise, even if it doesn’t prevent misuse during it.
My question is:
Are hardware-backed signing keys actually used in election systems today (for things like device identity, log signing, result integrity, etc.), or is that not a good fit for how those systems are designed and audited?
I’m especially curious about:
- Whether non-exportable keys are considered meaningful in this threat model
- If auditability / transparency requirements conflict with hardware-bound identity
- Whether simpler approaches (offline signing, air-gapping, paper trails) make this unnecessary
Not proposing a solution here — just trying to understand how people who actually work in this space think about it.