SSH Key Management: From Chaos to Security

{{IMAGE:1}}

SSH key management has become a surprisingly complex topic as security requirements evolve and the number of devices we use daily continues to grow. A recent discussion on Lobsters revealed a fascinating spectrum of approaches, from simple single-key setups to sophisticated hardware-backed certificate systems.

The Problem Space

The original poster's confession about their chaotic .ssh directory resonates with many developers. Multiple keys with forgotten purposes, scattered across systems, create both security risks and operational headaches. The fundamental question becomes: how do we balance security, convenience, and maintainability?

Common Approaches

Single Key Simplicity

Many users, like grahamc, opt for a single 1Password-managed SSH key for everything. This approach maximizes convenience but creates a single point of failure. If that key is compromised, all systems are potentially exposed.

Key Per Host

Some users advocate for one key per host, though as vpr notes, this requires wrapper scripts for generation and offers limited security advantage unless each key uses a different password. The management overhead often outweighs the benefits for most use cases.

Context-Based Separation

A middle ground involves separating keys by context—personal, work, and git-signing keys are common categories. This approach, used by users like viraptor and olex, provides reasonable compartmentalization without excessive complexity.

Hardware-Backed Solutions

YubiKey and FIDO2

Hardware tokens have gained significant traction. Users like sarcasticadmin use separate Yubikeys for personal and work, keeping keys portable and never stored on machines. The latest libssh release (0.12) added FIDO/U2F support, making this approach more accessible.

Secure Enclave Integration

macOS users have discovered native support for storing SSH keys in the Secure Enclave. Secretive, a Mac-only tool, has become popular for this purpose, as noted by z0mbix and gcollazo. This approach provides hardware binding without requiring separate tokens.

GPG Agent Integration

Several users, including bryfry and m_a_r_k, use GPG agents with Yubikey-backed keys. This approach consolidates SSH and GPG operations under a single authentication mechanism, though it requires careful key management and backup strategies.

Advanced Certificate-Based Systems

YubiKey as CA

Jamesog's approach of using a Yubikey as an SSH certificate authority represents a significant advancement. This allows for short-lived certificates signed by hardware-backed keys, combining the benefits of certificate-based authentication with hardware security.

Custom Certificate Authorities

Foxboron's work on ssh-tpm-agent and related projects demonstrates the bleeding edge of SSH key management. By combining TPM-backed keys with short-lived certificates issued through ACME challenges, this approach aims to eliminate long-lived SSH keys entirely while maintaining hardware binding.

Password Manager Integration

1Password SSH Agent

1Password's SSH agent has become a popular choice, allowing users to store keys in their password manager and access them through a dedicated agent. This approach, used by chloe and grahamc, provides good integration with existing password management workflows.

KeepassXC Integration

Users like benolivernine and ThinkChaos use KeepassXC for SSH key storage, appreciating the open-source nature and the ability to back up databases for team handoffs.

Configuration and Automation

SSH Config Mastery

Many users rely heavily on .ssh/config files to manage complex key setups. The classic Nerderati guide remains relevant for organizing host-specific configurations. Features like IdentitiesOnly and domain-based key selection help prevent identity leakage between contexts.

Git-Specific Workarounds

Skobes shared a useful git-specific trick: git clone -c core.sshCommand="ssh -i ~/.ssh/mykey_ed25519" [url] allows per-repository SSH key specification without modifying global configurations.

Backup and Recovery Strategies

Hardware Token Redundancy

Users with hardware-backed keys typically maintain multiple tokens with identical keys, plus offline paper backups stored securely. This approach, described by sarcasticadmin and m_a_r_k, provides resilience against hardware loss while maintaining security.

Cloud-Based Recovery

Some users rely on cloud password managers for recovery, though this introduces its own security considerations. The trade-off between convenience and potential exposure varies by threat model.

Emerging Trends and Future Directions

Tailscale SSH

Tailscale SSH represents a paradigm shift, eliminating traditional SSH key management by leveraging existing VPN authentication. Users like Diti find this approach compelling for Tailscale-connected infrastructure.

OpenID Connect Integration

The ability to use custom OpenID Connect providers for Tailscale authentication, as demonstrated by Diti using Codeberg, points toward more unified authentication systems that could eventually replace SSH keys entirely.

TPM-Based Hardware Binding

Foxboron's ssh-tpm-agent project and related work on TPM-based key storage represents an important trend toward making hardware-backed SSH keys more accessible without requiring separate tokens.

Threat Model Considerations

The right approach depends heavily on your threat model. As viraptor notes, users should be able to explain exactly why they're using a particular approach and what threats it mitigates. Common considerations include:

• Compliance requirements: Some organizations mandate key rotation or specific storage mechanisms
• Device loss scenarios: How easily can you recover if a device is lost or stolen?
• Insider threats: How well does the approach prevent unauthorized access from compromised client machines?
• Operational overhead: What's the cost of managing and maintaining the system?

Conclusion

SSH key management has evolved from simple file storage to sophisticated hardware-backed certificate systems. The best approach depends on your specific requirements, technical comfort level, and threat model. Whether you're using a single key in a password manager or building custom certificate authorities with TPM integration, the key is understanding the trade-offs and choosing a system you can maintain reliably.

As authentication systems continue to evolve, we may see traditional SSH keys become less central, replaced by certificate-based systems or unified authentication platforms. Until then, the diversity of approaches in the community provides options for every use case and security requirement.