diff --git a/examples/suit_update/README.hardware.md b/examples/suit_update/README.hardware.md
index 2a321d8af8..9e61102e67 100644
--- a/examples/suit_update/README.hardware.md
+++ b/examples/suit_update/README.hardware.md
@@ -571,7 +571,7 @@ The following default values are using for generating the manifest:
     SUIT_SEQNR ?= $(APP_VER)
     SUIT_CLASS ?= $(BOARD)
     SUIT_KEY ?= default
-    SUIT_KEY_DIR ?= $(RIOTBASE)/keys
+    SUIT_KEY_DIR ?= $(XDG_DATA_HOME)/RIOT/keys
     SUIT_SEC ?= $(SUIT_KEY_DIR)/$(SUIT_KEY).pem
 
 All files (both slot binaries, both manifests, copies of manifests with
diff --git a/examples/suit_update/README.md b/examples/suit_update/README.md
index 1360ef1906..9ec878747b 100644
--- a/examples/suit_update/README.md
+++ b/examples/suit_update/README.md
@@ -62,7 +62,8 @@ SUIT keys consist of a private and a public key file, stored in `$(SUIT_KEY_DIR)
 Similar to how ssh names its keyfiles, the public key filename equals the
 private key file, but has an extra `.pub` appended.
 
-`SUIT_KEY_DIR` defaults to the `keys/` folder at the top of a RIOT checkout.
+`SUIT_KEY_DIR` defaults to the `keys/` folder in `$XDG_DATA_HOME/RIOT`
+(usually `~/.local/share/RIOT/keys`).
 
 If the chosen key doesn't exist, it will be generated automatically.
 That step can be done manually using the `suit/genkey` target.
diff --git a/makefiles/suit.base.inc.mk b/makefiles/suit.base.inc.mk
index 19bf209502..757f73632f 100644
--- a/makefiles/suit.base.inc.mk
+++ b/makefiles/suit.base.inc.mk
@@ -10,11 +10,12 @@ SUIT_TOOL ?= $(RIOTBASE)/dist/tools/suit/suit-manifest-generator/bin/suit-tool
 # Will use $(SUIT_KEY_DIR)/$(SUIT_KEY).pem as combined private/public key
 # files.
 SUIT_KEY ?= default
+XDG_DATA_HOME ?= $(HOME)/.local/share
 
 ifeq (1, $(RIOT_CI_BUILD))
   SUIT_KEY_DIR ?= $(BINDIR)
 else
-  SUIT_KEY_DIR ?= $(RIOTBASE)/keys
+  SUIT_KEY_DIR ?= $(XDG_DATA_HOME)/RIOT/keys
 endif
 
 # Enable user to encrypt private key with a password