You're not really supposed to 'export' keys. Any time you move a key you risk exposing it. The idea of PKI is that only public keys move, the private key stays in one place, ideally never seen.

▲

jedberg 39 minutes ago | parent | next [-]

I've been in the security space for 25 years, and understand the theory of PKI. But I've also been in the ops space for 30 years, and understand that if you don't balance security theory with operational practice, critical business functions can fail.

Ideally yes, the private key is never seen. In reality, it needs to be backed up in a secure place so it can be restored in the event of a failure.

	▲	pi-rat 23 minutes ago \| parent \| next [-]
		You can use more than one key you know. Keep the private key you actively use in the secure enclave. The system you actively use is most at risk. Keep a secondary offline private key as backup. You can generate and store it in a secure location, and never move it around. Airgapped even if you want. You could even use a yubikey or other hardware for the secondary key giving you two hard to export keys. Distribute pub keys for both of them. Best of both worlds?
	▲	philsnow 5 minutes ago \| parent \| prev \| next [-]
		> if you don't balance security theory with operational practice, critical business functions can fail i.e. people will circumvent the secure-but-onerous path. (I don't think they can be faulted for trying to get their work done either, I'm agreeing with you)
	▲	eptcyka 7 minutes ago \| parent \| prev [-]
		In what scenario would you prefer to backup an SSH key in favor of generating new SSH keys?

▲

asteroidburger 35 minutes ago | parent | prev [-]

It's much safer to export a key one time and import it into a new machine, or store it in a secure backup, than to keep it just hanging out on disk for eternity, and potentially get scooped up by whatever malware happens to run on your machine.