diff --git a/feature/tpm/attestation.go b/feature/tpm/attestation.go
index 49b80ade1..197a8d6b8 100644
--- a/feature/tpm/attestation.go
+++ b/feature/tpm/attestation.go
@@ -59,10 +59,12 @@ func newAttestationKey() (ak *attestationKey, retErr error) {
 						SensitiveDataOrigin: true,
 						UserWithAuth:        true,
 						AdminWithPolicy:     true,
-						NoDA:                true,
-						FixedTPM:            true,
-						FixedParent:         true,
-						SignEncrypt:         true,
+						// We don't set an authorization policy on this key, so
+						// DA isn't helpful.
+						NoDA:        true,
+						FixedTPM:    true,
+						FixedParent: true,
+						SignEncrypt: true,
 					},
 					Parameters: tpm2.NewTPMUPublicParms(
 						tpm2.TPMAlgECC,
diff --git a/feature/tpm/tpm.go b/feature/tpm/tpm.go
index 7cbdec088..8df269b95 100644
--- a/feature/tpm/tpm.go
+++ b/feature/tpm/tpm.go
@@ -414,6 +414,9 @@ func tpmSeal(logf logger.Logf, data []byte) (*tpmSealedData, error) {
 					FixedTPM:     true,
 					FixedParent:  true,
 					UserWithAuth: true,
+					// We don't set an authorization policy on this key, so DA
+					// isn't helpful.
+					NoDA: true,
 				},
 			}),
 		}