| ▲ | graemep 10 hours ago |
| You should encrypt your ssh keys anyway, and you should encrypt anything sensitive you are backing up to a cloud. |
|
| ▲ | trey-jones 10 hours ago | parent | next [-] |
| Private keys should never leave the device where they are created. |
| |
| ▲ | graemep 9 hours ago | parent [-] | | So no backups? | | |
| ▲ | Tuna-Fish 8 hours ago | parent | next [-] | | Correct. Private keys should never be backed up. Instead, should you need a backup, you should create a distinct key for that purpose. | | |
| ▲ | TurdF3rguson 7 hours ago | parent [-] | | That's a great plan until you're locked out of all your devices with no backup. | | |
| ▲ | derefr 5 hours ago | parent [-] | | I think the implication is that you should own multiple client devices capable of SSHing into things, each with their own SSH keypair; and every SSH host you interact with should have multiple of your devices’ keypairs registered to it. | | |
| ▲ | TurdF3rguson 3 hours ago | parent [-] | | Right, and to never backup the keys which means losing of all your devices means you can't possibly recover. |
|
|
| |
| ▲ | leni536 8 hours ago | parent | prev [-] | | You can have backup private keys, they don't have to be copies of some other private keys. |
|
|
|
| ▲ | 9dev 10 hours ago | parent | prev [-] |
| Actually, you shouldn’t. You probably use an easy-to-remember password on SSH keys since you have to type them often, but that also means you’re storing one of your (let’s face it, the primary) password you have in a single file, readable to every executable your run under your account. And that means you’re one exfil away from not only getting your SSH keys compromised, but also allowing an attacker to run an offline decryption attack with unlimited attempts. This invariably leads to your main password getting compromised. Instead, set up SSH certificates, MFA, Yubikey, or TPM/Enclave storage for your private keys. |
| |
| ▲ | yjftsjthsd-h 10 hours ago | parent | next [-] | | > You probably use an easy-to-remember password on SSH keys since you have to type them often No, use ssh-agent and decrypt once per boot. > Instead, set up SSH certificates, MFA, Yubikey, or TPM/Enclave storage for your private keys. Granted, I agree with this, too. | |
| ▲ | bityard 7 hours ago | parent | prev [-] | | > but also allowing an attacker to run an offline decryption attack with unlimited attempts. This invariably leads to your main password getting compromised. Do the OpenSSH authors not know about PKBDF2 or similar? |
|
