diff --git a/man/backend-tpm1x.h b/man/backend-tpm1x.h
index 944c75a..8f302b0 100644
--- a/man/backend-tpm1x.h
+++ b/man/backend-tpm1x.h
@@ -2,7 +2,8 @@
 
 ### TPM selection
 
-The tzpfms suite always connects to a local tcsd(8) process (at `localhost:30003`).
+The tzpfms suite connects to a local tcsd(8) process (at `localhost:30003`) by default.
+Use the environment variable `TZPFMS_TPM1X` to specify a remote TCS hostname.
 
 The TrouSerS tcsd(8) daemon will try `/dev/tpm0`, then `/udev/tpm0`, then `/dev/tpm`;
 by occupying one of the earlier ones with, for example, shell redirection, a later one can be selected.
diff --git a/src/tpm1x.hpp b/src/tpm1x.hpp
index e1e6f9d..56f5500 100644
--- a/src/tpm1x.hpp
+++ b/src/tpm1x.hpp
@@ -31,7 +31,14 @@ template <class F>
 int with_tpm1x_session(F && func) {
 	TSS_HCONTEXT ctx{};  // All memory lives as long as this does
 	TRY_TPM1X("create TPM context", Tspi_Context_Create(&ctx));
-	TRY_TPM1X("connect TPM context to TPM", Tspi_Context_Connect(ctx, nullptr));
+
+	{
+		UNICODE * tcs_address{};
+		quickscope_wrapper tcs_address_deleter{[&] { free(tcs_address); }};
+		if(auto addr = getenv("TZPFMS_TPM1X"))
+			tcs_address = reinterpret_cast<UNICODE *>(TRY_PTR("allocate remote TPM address", Trspi_Native_To_UNICODE(reinterpret_cast<BYTE *>(addr), nullptr)));
+		TRY_TPM1X("connect TPM context to TPM", Tspi_Context_Connect(ctx, tcs_address));
+	}
 	quickscope_wrapper ctx_deleter{[&] {
 		Trspi_Error_String(Tspi_Context_FreeMemory(ctx, nullptr));
 		Trspi_Error_String(Tspi_Context_Close(ctx));