How to store SSH keys


I've started using SSH keys instead of passwords just recently (thanks to GitHub, of course), so please keep in mind that I'm pretty new to this whole concept. Currently my keys simply lie under ~/.ssh, but I'm not sure if this is a good practice. E.g. if I have multiple machines, I'd need to duplicate my private keys, which I think is undesirable. Or, if my HDD goes kaput, then I'll lose those keys, which (I guess) is undesirable as well.

So, what are best practices on storing SSH keys securely, conveniently, and reliably?

Seems like using a smartcard is an option (see Smartcards for storing gpg/ssh keys (Linux) – what do I need?), is this the best one?

Update: The reason for the question was that many services (like GitHub, AWS EC2) provide guides on how to set up SSH keys for using the service, but little to no background (like, what to do if you already have a key generated by ssh-keygen [1], what are recommended security measures). And it's unclear whether that info is in fact unimportant, or you're expected to know it ‘by default’.

To sum up answers up to this point (but please read them, and if you have something to add—please do): seems like in this case it's fine if you just leave your private keys in ~/.ssh, as long as you keep them from other people; but make sure that you have another way to access the service to upload or generate a new key if you lose one (which is normally the case).

[1] GitHub used to provide help on how to manage multiple keys.

Best Answer

E.g. if I have multiple machines, I'd need to duplicate private keys, which I think is undesirable.

No, actually you don't. If you have multiple machines, you just create a separate private key on each one. For each private key, just upload the corresponding public key to GitHub using the same process.

Also, if my HDD go kaput, I'll lose my private key, which (I guess) is undesirable as well.

Not really; if you lose your private key, just generate a new one and upload the corresponding public key.

For what it's worth, you're right that duplicating a private key is highly undesirable. Ideally, a private key should be generated in one file (~/.ssh/id_rsa for example) and should never leave that file - that is, it should never be copied, moved, and especially not transferred over a network. (e.g. I exclude them from backups) Because of the nature of asymmetric authentication protocols, you only need to worry about keeping your private key out of the hands of others. If you go a bit overboard and you lose track of it yourself, it's generally not a big deal. (This is not to be confused with asymmetric encryption private keys, e.g. GPG keys, which you probably want to hold on to.)

Related Question