how do you manage your personal ssh keys?
I have a number of computers and accounts in my life that has ssh keys on them, and I find that it's too many for me to keep track on by the basis of "just remembering". Home laptop, home desktop linux, home desktop windows, home desktop wsl, work desktop windows, work desktop wsl, sometimes more than one key for each of those. I'm thinking about putting a folder in my cloud solution with all the .pub files and and a text file describing what the keys are and what they have access to, but maybe there's better ways, or maybe there's security issues with that approach that I don't understand. When I try to read up about ssh key managements most everything seems to be targeted towards organizations which have related, but not the same issues that an individual does.
Anyway, I'd love to get your input.
Hmm, maybe I shouldn’t just use that one rsa key I generated 10 years ago.
I was thinking the same. I use one key for everything. It has password to it, but maybe it's not good enough to ue just one...?
Also - I don't use SSH in my job, so this one key accesses only my personal PCs.
Yesterday I mentioned in a different post that 1Password can store "secure notes" in your encrypted vault. Well I'm here in this thread today to point out that it also supports securely storing SSH keys, among a large number of other types of sensitive data.
I've recommended 1Password for many years. I think a good password manager is an essential these days, and it's certainly a very good one. But there are lots of competing tools available too, and I bet you could store SSH keys in most of them.
Bitwarden has a similar function I believe (just to give a name of a competing tool that's free for personal use).
Yes, that's what I use. And I must say, I'm quite happy with it.
I also hopped in here to mention 1Password! I’ve started using it for SSH keys lately and it rocks. Very smooth, protected with built in biometrics, and available on all of my devices. Plus, you can use SSH keys to sign git commits now!
Out of curiosity, how does 1P handle the key file when something like the ssh client is looking for it? Are you copying the key into your ssh directory before using it, or is there something automatic happening?
I don’t personally use 1pass for SSH (I use Tailscale SSH for personal devices and my job has some fancy CA setup) but I believe it has your ssh agent query 1pass directly when trying to use a key, so you’d need to unlock your vault to access them each time.
Could be totally wrong, just remembering off the top of my head.
edit: seems I was mostly right, but they do have their own ssh agent that you use in place of the regular one, seems pretty neat: https://developer.1password.com/docs/ssh/agent/security/
I use the 1password ssh agent and can confirm this is how it works. Whenever an app needs my SSH key I get prompted to unlock my vault (which would maybe be a hassle if you're entering your master password each time, but it's fine on my MacBook because I can use the fingerprint sensor). The decrypted/unlocked state of the keys has a separate timeout from the rest of your vault though, so for example I have access to my passwords set to lock after 10 minutes of inactivity but my SSH keys only need to be unlocked again every few hours.
It can be a slight hassle if you're running a long script that needs your keys, for example I have a script to deploy the dev environment for my current work project on a kubernetes cluster, and it needs to do some git operations after waiting for a long running task, so when I ran it and walked away it would fail because I wasn't around to unlock the key when the script needed it. Hence setting a longer timeout.
Thanks, that does seem neat.
I use keepass and dropbox sync, which isn't necessarily more secure, but it has a less public attack surface, and its free after the sunk cost of dropbox. It seems there is a plugin called Keeagent that does something similar, so I'll have try to out.
KeePassXC also has support for SSH Agents (slightly different to 1Password: it adds/removes keys from another agent, rather than being an agent itself).
Some apps (incorrectly) only expect a keyfile and ignore SSH agents, so it is possible you'll find yourself forced to do that. It's pretty rare though
I will 2nd this. 1Password is an invaluable tool for me and this feature is just one of many reasons why. There’s also Bitwarden (and its offshoots) as alternatives but they take some setup and are mostly self-hosted. 1Password is about as convenient as this process can be made and its other features make me a huge proponent of it.
I keep separate keys in each environment and name them for what they are. For example, GitHub.ecdsa and GitHub.ecdsa.pub. If key naming is possible on the server, I name it after the environment/machine it's from.
Benefits:
Yes it is a lot of keys, but situations like losing access to a work machine do happen. Then if I forgot to remove the key from GitLab or wherever, I'll notice it immediately the next time I see the key list.
I do something similar. Limits the blast radius if a key gets out somehow and like you said, makes it easy to revoke access as needed.
I wish there were more robust support for storing keys in TPMs on generic PCs. On my Mac I keep keys in its Secure Enclave which isn’t perfect in terms of security but requires Touch ID to access and feels better than just having them rattling around loose in
~/.ssh/for any program with access to my home folder to grab.This is what I do for MediaWiki bot passwords which are how you authenticate to do API edits on MediaWiki wikis. Each key is a machine name + a function, or just a function if it's for my primary desktop.
So like
...etc.
Highly recommend this practice whenever you have to name things that authenticate in similar ways
A pointed response: if you're having trouble keeping track all of the endpoints you're SSHing from, you have too many contexts to keep secure and up to date.
If your priority is security, the best strategy is to simplify your mission critical remote access to as few keys and trusted contexts as possible. Your best bang for buck is to partition your device contexts into privileged and unprivileged and give remote access to only the privileged ones.
I use the built in ed25519-sk type in SSH 8.2+ to generate keys based on my Yubikeys. Each device has its own security key, which is set to require a tap to authenticate. The SSH keys are also encrypted (password protected).
This way, it's not feasible to extract the SSH key using software (it requires the physical key) and if my device was stolen or I lost access you'd still need a passphrase to load the key. I don't create different keys per service -- the only benefit I see there is anonymity (since servers can identify you based on your GitHub SSH public keys), and I don't SSH into unfamiliar servers.
I never make a private key without a passphrase for ssh auth. I typically use one passphrase per domain (work, home, etc) and one key per service/server. I can usually keep track of two or three passphrases by memory but keep them in my password manager as fallback.
If I have superuser keys, I will use a different passphrase that my regular user keys. I usually have to look them up because they are rarely used.
As for the key files themselves, I usually manually copy them to dropbox/one drive or make sure they are included in whatever backup solution is being used.
You can set up ~/.ssh/config with rules about which key is used for which server. If you just have a few keys it will automatically try all of them, but once you have more than the retry limit, you'll get errors back from the server and need to specify them.
Edit: fixed the ssh config file path
I just make sure to label them well (
ssh-keygen -C "your description here", defaults to username@hostname), and insure my main server has a copy of all the pub keys. And since public keys are public...no reason not to just through them up anywhere.I have an ansible script there for sending out new public keys which wipes the old ones. So long as I don't lose my phone, laptop, desktop, server, remote server, and wife's laptop all in one day, I'll be OK.
I just spam ‘em, have strong passphrases on everything and don’t sweat it too much?
I generate different private keys for each computer and never copy them to another device. I do use a password, but not a particularly strong one. On Macs, ssh-agent is started automatically and I use ssh-add, so I only need to retype the password after rebooting.
The only computers that I ssh from are my desktop and laptop. So, I only need to add new public keys (for example, to my GitHub account) when I get a new computer. (So this means that I rotate private keys at the same rate that I rotate computers.)
Maybe a not-so-well-known solution. But you could consider using SSH certificates instead?
Instead of thinking in keys, you should be thinking about identities. A certificate represents a user and the servers know what that user should have access to.
Maybe it is too much for your usecase, but SSH certificate authentication tends to solve a LOT of problems.
https://smallstep.com/blog/use-ssh-certificates/
Wow, so many ideas and so much great input, I had no idea this was gonna blow up. I think the first thing I'm gonna do is start using -C properly in combination with giving the files sane names. "id_rsa" doesn't tell you much, that will solve a lot of the headaches I think. I'll let the rest take some time to sink in.