How do you manage SSH keys?

I have multiple keys and multiple computers and multiple ssh config files, both for my private life and work. Sometimes I work remotely, sometimes I work on premises, sometimes I’m using a laptop, desktop, workstation.

How the hell do you guys keep your SSH keys securely stored and managed? I want to bring home a private key with me, but I don’t just want it floating around on my desktop or in my ssh-agent.

I was looking for a software solution that maybe works the way a password manager does, but so far I haven’t found anything compelling.


I’ve been meaning to watch this myself

1 Like

Great topic @COGlory

At the moment I keep my ssh keys inside my KeePassXC vault, with the keys as an attachment for an entry relating to each account/host. Not the most elegant of solutions so will definitely watch that video from @blooper98

1 Like

The correct way to manage keys is to only copy the PUBLIC key from the machine you generated it on to the destinations you want to log in with it.

Want to log in from a new host? Generate keypair and upload the pub key.

This way if a machine is compromised or stolen you can easily remove the authorised key (which should be password protected anyway) from the relevant hosts.

Copying private keys around to multiple hosts is a bad idea.

Alternatively look at storing your private keys on a youbikey and plug that in where you need it.

For personal use, I load my ssh key on my yubikey, but for work, we keep the keys in SSM and have a python wrapper that let’s us tunnel in automagically.

1 Like

This via gpg and require touch. It’s beautiful. You can make backup copies too. It dramatically reduces my anxiety about ssh.

Doesn’t scale for lots of keys, but with that level of security, you should feel more comfortable consolidating down to one or two.

1 Like

Yubikey(s), I have several plugged into laptops and monitors, and one on my keychain.

I currently copy authorized_keys around… I really should switch to ssh user certs to avoid having to keep these in sync.

Oh, so I am doing it right then? Nice :rofl:

I basically just do ssh-copy-id manually for any server I access regularly from a given PC. Or course this assumes password only based access is available, so I’m doing that part wrong.

1 Like

copy, not identity to be clear