diff --git a/Cargo.lock b/Cargo.lock
index 9671cb34bb..2781265464 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1950,6 +1950,20 @@ version = "1.0.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bbfc4744c1b8f2a09adc0e55242f60b1af195d88596bd8700be74418c056c555"
 
+[[package]]
+name = "ecdsa"
+version = "0.16.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ee27f32b5c5292967d2d4a9d7f1e0b0aed2c15daded5a60300e4abb9d8020bca"
+dependencies = [
+ "der",
+ "digest",
+ "elliptic-curve",
+ "rfc6979",
+ "signature 2.1.0",
+ "spki",
+]
+
 [[package]]
 name = "ed25519"
 version = "1.5.3"
@@ -1991,9 +2005,9 @@ checksum = "a26ae43d7bcc3b814de94796a5e736d4029efb0ee900c12e2d54c993ad1a1e07"
 
 [[package]]
 name = "elliptic-curve"
-version = "0.13.5"
+version = "0.13.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "968405c8fdc9b3bf4df0a6638858cc0b52462836ab6b1c87377785dd09cf1c0b"
+checksum = "b5e6043086bf7973472e0c7dff2142ea0b680d30e18d9cc40f267efbf222bd47"
 dependencies = [
  "base16ct",
  "crypto-bigint",
@@ -2002,7 +2016,10 @@ dependencies = [
  "generic-array",
  "group",
  "hkdf",
+ "pem-rfc7468",
+ "pkcs8",
  "rand_core 0.6.4",
+ "sec1",
  "subtle",
  "zeroize",
 ]
@@ -2047,7 +2064,7 @@ dependencies = [
  "rand 0.8.5",
  "reqwest",
  "russh",
- "russh-keys",
+ "russh-keys 0.38.0",
  "tokio",
  "toml 0.8.8",
  "trust-dns-resolver",
@@ -4916,6 +4933,7 @@ name = "omicron-workspace-hack"
 version = "0.1.0"
 dependencies = [
  "anyhow",
+ "base16ct",
  "bit-set",
  "bit-vec",
  "bitflags 1.3.2",
@@ -4934,10 +4952,13 @@ dependencies = [
  "crossbeam-utils",
  "crossterm",
  "crypto-common",
+ "der",
  "diesel",
  "digest",
  "either",
+ "elliptic-curve",
  "errno",
+ "ff",
  "flate2",
  "futures",
  "futures-channel",
@@ -4949,8 +4970,10 @@ dependencies = [
  "gateway-messages",
  "generic-array",
  "getrandom 0.2.10",
+ "group",
  "hashbrown 0.13.2",
  "hex",
+ "hmac",
  "hyper",
  "hyper-rustls",
  "indexmap 2.1.0",
@@ -4970,6 +4993,7 @@ dependencies = [
  "num-traits",
  "once_cell",
  "openapiv3",
+ "pem-rfc7468",
  "petgraph",
  "postgres-types",
  "ppv-lite86",
@@ -4988,7 +5012,6 @@ dependencies = [
  "serde",
  "serde_json",
  "sha2",
- "signature 2.1.0",
  "similar",
  "slog",
  "snafu",
@@ -5410,6 +5433,18 @@ dependencies = [
  "uuid",
 ]
 
+[[package]]
+name = "p256"
+version = "0.13.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c9863ad85fa8f4460f9c48cb909d38a0d689dba1f6f6988a5e3e0d31071bcd4b"
+dependencies = [
+ "ecdsa",
+ "elliptic-curve",
+ "primeorder",
+ "sha2",
+]
+
 [[package]]
 name = "packed_struct"
 version = "0.10.1"
@@ -5991,6 +6026,15 @@ dependencies = [
  "syn 2.0.32",
 ]
 
+[[package]]
+name = "primeorder"
+version = "0.13.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "353e1ca18966c16d9deb1c69278edbc5f194139612772bd9537af60ac231e1e6"
+dependencies = [
+ "elliptic-curve",
+]
+
 [[package]]
 name = "proc-macro-crate"
 version = "1.3.1"
@@ -6607,6 +6651,16 @@ dependencies = [
  "quick-error",
 ]
 
+[[package]]
+name = "rfc6979"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8dd2a808d456c4a54e300a23e9f5a67e122c3024119acbfd73e3bf664491cb2"
+dependencies = [
+ "hmac",
+ "subtle",
+]
+
 [[package]]
 name = "ring"
 version = "0.16.20"
@@ -6724,9 +6778,9 @@ dependencies = [
 
 [[package]]
 name = "russh"
-version = "0.39.0"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7878311587d0353a854d5be954fbe68bdf6e77873933b484d1e45db12bb2f8cf"
+checksum = "98bee7ebcce06bfc40a46b9d90205c6132d899bb9095c5ce9da3cdad8ec0833d"
 dependencies = [
  "aes",
  "aes-gcm",
@@ -6748,7 +6802,7 @@ dependencies = [
  "poly1305",
  "rand 0.8.5",
  "russh-cryptovec",
- "russh-keys",
+ "russh-keys 0.40.0",
  "sha1",
  "sha2",
  "subtle",
@@ -6803,6 +6857,44 @@ dependencies = [
  "yasna",
 ]
 
+[[package]]
+name = "russh-keys"
+version = "0.40.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3b5d5a656fe1c3024d829d054cd8c0c78dc831e4b2d4b08360569c3b38f3017f"
+dependencies = [
+ "aes",
+ "async-trait",
+ "bcrypt-pbkdf",
+ "bit-vec",
+ "block-padding",
+ "byteorder",
+ "cbc",
+ "ctr",
+ "data-encoding",
+ "dirs",
+ "ed25519-dalek",
+ "futures",
+ "hmac",
+ "inout",
+ "log",
+ "md5",
+ "num-bigint",
+ "num-integer",
+ "p256",
+ "pbkdf2 0.11.0",
+ "rand 0.7.3",
+ "rand_core 0.6.4",
+ "russh-cryptovec",
+ "serde",
+ "sha1",
+ "sha2",
+ "thiserror",
+ "tokio",
+ "tokio-stream",
+ "yasna",
+]
+
 [[package]]
 name = "rust-argon2"
 version = "1.0.1"
@@ -7077,6 +7169,20 @@ dependencies = [
  "untrusted 0.7.1",
 ]
 
+[[package]]
+name = "sec1"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3e97a565f76233a6003f9f5c54be1d9c5bdfa3eccfb189469f11ec4901c47dc"
+dependencies = [
+ "base16ct",
+ "der",
+ "generic-array",
+ "pkcs8",
+ "subtle",
+ "zeroize",
+]
+
 [[package]]
 name = "secrecy"
 version = "0.8.0"
diff --git a/end-to-end-tests/Cargo.toml b/end-to-end-tests/Cargo.toml
index e78a8792d3..4c20772c5d 100644
--- a/end-to-end-tests/Cargo.toml
+++ b/end-to-end-tests/Cargo.toml
@@ -15,7 +15,7 @@ omicron-test-utils.workspace = true
 oxide-client.workspace = true
 rand.workspace = true
 reqwest.workspace = true
-russh = "0.39.0"
+russh = "0.40.0"
 russh-keys = "0.38.0"
 tokio = { workspace = true, features = ["macros", "rt-multi-thread"] }
 toml.workspace = true
diff --git a/workspace-hack/Cargo.toml b/workspace-hack/Cargo.toml
index fe7c3bdc81..098509291a 100644
--- a/workspace-hack/Cargo.toml
+++ b/workspace-hack/Cargo.toml
@@ -15,6 +15,7 @@ publish = false
 ### BEGIN HAKARI SECTION
 [dependencies]
 anyhow = { version = "1.0.75", features = ["backtrace"] }
+base16ct = { version = "0.2.0", default-features = false, features = ["alloc"] }
 bit-set = { version = "0.5.3" }
 bit-vec = { version = "0.6.3" }
 bitflags-dff4ba8e3ae991db = { package = "bitflags", version = "1.3.2" }
@@ -33,9 +34,12 @@ crossbeam-epoch = { version = "0.9.15" }
 crossbeam-utils = { version = "0.8.16" }
 crossterm = { version = "0.27.0", features = ["event-stream", "serde"] }
 crypto-common = { version = "0.1.6", default-features = false, features = ["getrandom", "std"] }
+der = { version = "0.7.8", default-features = false, features = ["derive", "flagset", "oid", "pem", "std"] }
 diesel = { version = "2.1.4", features = ["chrono", "i-implement-a-third-party-backend-and-opt-into-breaking-changes", "network-address", "postgres", "r2d2", "serde_json", "uuid"] }
 digest = { version = "0.10.7", features = ["mac", "oid", "std"] }
 either = { version = "1.9.0" }
+elliptic-curve = { version = "0.13.8", features = ["ecdh", "hazmat", "pem", "std"] }
+ff = { version = "0.13.0", default-features = false, features = ["alloc"] }
 flate2 = { version = "1.0.28" }
 futures = { version = "0.3.29" }
 futures-channel = { version = "0.3.29", features = ["sink"] }
@@ -47,8 +51,10 @@ futures-util = { version = "0.3.29", features = ["channel", "io", "sink"] }
 gateway-messages = { git = "https://github.com/oxidecomputer/management-gateway-service", rev = "2739c18e80697aa6bc235c935176d14b4d757ee9", features = ["std"] }
 generic-array = { version = "0.14.7", default-features = false, features = ["more_lengths", "zeroize"] }
 getrandom = { version = "0.2.10", default-features = false, features = ["js", "rdrand", "std"] }
+group = { version = "0.13.0", default-features = false, features = ["alloc"] }
 hashbrown = { version = "0.13.2" }
 hex = { version = "0.4.3", features = ["serde"] }
+hmac = { version = "0.12.1", default-features = false, features = ["reset"] }
 hyper = { version = "0.14.27", features = ["full"] }
 indexmap = { version = "2.1.0", features = ["serde"] }
 inout = { version = "0.1.3", default-features = false, features = ["std"] }
@@ -65,6 +71,7 @@ num-integer = { version = "0.1.45", features = ["i128"] }
 num-iter = { version = "0.1.43", default-features = false, features = ["i128"] }
 num-traits = { version = "0.2.16", features = ["i128", "libm"] }
 openapiv3 = { version = "2.0.0-rc.1", default-features = false, features = ["skip_serializing_defaults"] }
+pem-rfc7468 = { version = "0.7.0", default-features = false, features = ["std"] }
 petgraph = { version = "0.6.4", features = ["serde-1"] }
 postgres-types = { version = "0.2.6", default-features = false, features = ["with-chrono-0_4", "with-serde_json-1", "with-uuid-1"] }
 ppv-lite86 = { version = "0.2.17", default-features = false, features = ["simd", "std"] }
@@ -82,7 +89,6 @@ semver = { version = "1.0.20", features = ["serde"] }
 serde = { version = "1.0.192", features = ["alloc", "derive", "rc"] }
 serde_json = { version = "1.0.108", features = ["raw_value"] }
 sha2 = { version = "0.10.8", features = ["oid"] }
-signature = { version = "2.1.0", default-features = false, features = ["digest", "rand_core", "std"] }
 similar = { version = "2.2.1", features = ["inline", "unicode"] }
 slog = { version = "2.7.0", features = ["dynamic-keys", "max_level_trace", "release_max_level_debug", "release_max_level_trace"] }
 snafu = { version = "0.7.5", features = ["futures"] }
@@ -110,6 +116,7 @@ zip = { version = "0.6.6", default-features = false, features = ["bzip2", "defla
 
 [build-dependencies]
 anyhow = { version = "1.0.75", features = ["backtrace"] }
+base16ct = { version = "0.2.0", default-features = false, features = ["alloc"] }
 bit-set = { version = "0.5.3" }
 bit-vec = { version = "0.6.3" }
 bitflags-dff4ba8e3ae991db = { package = "bitflags", version = "1.3.2" }
@@ -128,9 +135,12 @@ crossbeam-epoch = { version = "0.9.15" }
 crossbeam-utils = { version = "0.8.16" }
 crossterm = { version = "0.27.0", features = ["event-stream", "serde"] }
 crypto-common = { version = "0.1.6", default-features = false, features = ["getrandom", "std"] }
+der = { version = "0.7.8", default-features = false, features = ["derive", "flagset", "oid", "pem", "std"] }
 diesel = { version = "2.1.4", features = ["chrono", "i-implement-a-third-party-backend-and-opt-into-breaking-changes", "network-address", "postgres", "r2d2", "serde_json", "uuid"] }
 digest = { version = "0.10.7", features = ["mac", "oid", "std"] }
 either = { version = "1.9.0" }
+elliptic-curve = { version = "0.13.8", features = ["ecdh", "hazmat", "pem", "std"] }
+ff = { version = "0.13.0", default-features = false, features = ["alloc"] }
 flate2 = { version = "1.0.28" }
 futures = { version = "0.3.29" }
 futures-channel = { version = "0.3.29", features = ["sink"] }
@@ -142,8 +152,10 @@ futures-util = { version = "0.3.29", features = ["channel", "io", "sink"] }
 gateway-messages = { git = "https://github.com/oxidecomputer/management-gateway-service", rev = "2739c18e80697aa6bc235c935176d14b4d757ee9", features = ["std"] }
 generic-array = { version = "0.14.7", default-features = false, features = ["more_lengths", "zeroize"] }
 getrandom = { version = "0.2.10", default-features = false, features = ["js", "rdrand", "std"] }
+group = { version = "0.13.0", default-features = false, features = ["alloc"] }
 hashbrown = { version = "0.13.2" }
 hex = { version = "0.4.3", features = ["serde"] }
+hmac = { version = "0.12.1", default-features = false, features = ["reset"] }
 hyper = { version = "0.14.27", features = ["full"] }
 indexmap = { version = "2.1.0", features = ["serde"] }
 inout = { version = "0.1.3", default-features = false, features = ["std"] }
@@ -160,6 +172,7 @@ num-integer = { version = "0.1.45", features = ["i128"] }
 num-iter = { version = "0.1.43", default-features = false, features = ["i128"] }
 num-traits = { version = "0.2.16", features = ["i128", "libm"] }
 openapiv3 = { version = "2.0.0-rc.1", default-features = false, features = ["skip_serializing_defaults"] }
+pem-rfc7468 = { version = "0.7.0", default-features = false, features = ["std"] }
 petgraph = { version = "0.6.4", features = ["serde-1"] }
 postgres-types = { version = "0.2.6", default-features = false, features = ["with-chrono-0_4", "with-serde_json-1", "with-uuid-1"] }
 ppv-lite86 = { version = "0.2.17", default-features = false, features = ["simd", "std"] }
@@ -177,7 +190,6 @@ semver = { version = "1.0.20", features = ["serde"] }
 serde = { version = "1.0.192", features = ["alloc", "derive", "rc"] }
 serde_json = { version = "1.0.108", features = ["raw_value"] }
 sha2 = { version = "0.10.8", features = ["oid"] }
-signature = { version = "2.1.0", default-features = false, features = ["digest", "rand_core", "std"] }
 similar = { version = "2.2.1", features = ["inline", "unicode"] }
 slog = { version = "2.7.0", features = ["dynamic-keys", "max_level_trace", "release_max_level_debug", "release_max_level_trace"] }
 snafu = { version = "0.7.5", features = ["futures"] }