diff --git a/tpm/tss2/signer.go b/tpm/tss2/signer.go
index 037b8f4a..90225480 100644
--- a/tpm/tss2/signer.go
+++ b/tpm/tss2/signer.go
@@ -59,6 +59,8 @@ type Signer struct {
 // [TPMKey]. The caller is responsible of opening and closing the TPM.
 func CreateSigner(rw io.ReadWriter, key *TPMKey) (crypto.Signer, error) {
 	switch {
+	case rw == nil:
+		return nil, fmt.Errorf("invalid TPM channel: rw cannot be nil")
 	case !key.Type.Equal(oidLoadableKey):
 		return nil, fmt.Errorf("invalid TSS2 key: type %q is not valid", key.Type.String())
 	case len(key.Policy) != 0:
diff --git a/tpm/tss2/signer_test.go b/tpm/tss2/signer_test.go
index df41e710..5b36d7de 100644
--- a/tpm/tss2/signer_test.go
+++ b/tpm/tss2/signer_test.go
@@ -145,6 +145,7 @@ func TestCreateSigner(t *testing.T) {
 		{"ok", args{&rw, key}, &Signer{
 			rw: &rw, publicKey: publicKey, tpmKey: key,
 		}, assert.NoError},
+		{"fail rw", args{nil, key}, nil, assert.Error},
 		{"fail type", args{&rw, modKey(func(k *TPMKey) {
 			k.Type = oidSealedKey
 		})}, nil, assert.Error},