diff --git a/systemd/step-ca.service b/systemd/step-ca.service
index 1941a634..db745c1a 100644
--- a/systemd/step-ca.service
+++ b/systemd/step-ca.service
@@ -30,6 +30,7 @@ SecureBits=keep-caps
 NoNewPrivileges=yes
 
 ; Sandboxing
+; This works with YubiKey PIV (via pcscd), and presumably with YubiHSM2 via http connector
 ProtectSystem=full
 ProtectHome=true
 RestrictNamespaces=true
@@ -44,8 +45,8 @@ LockPersonality=true
 RestrictSUIDSGID=true
 RemoveIPC=true
 RestrictRealtime=true
-; confirmed this works, even with YubiKey PIV, and presumably with YubiHSM2:
 PrivateDevices=true
+SystemCallFilter=@system-service
 MemoryDenyWriteExecute=true
 ReadWriteDirectories=/etc/step-ca/db