Serge from BabkaMay 1, 2025

Every decade or so the recommendations on best practices change, so I'm curious on the current best practices around SSH keys stored on a device (eg a laptop).

If we believe that the best practice currently is to have a new private key per client device (ie for each laptop, desktop, or phone) that one connects to a server from, then that opens the question in my mind of what are folks doing for passphrases for these keys.

Obviously the ideal would be very strong, unique passphrases per device, but then if one has 4+ devices, this can get fairly challenging to remember.

Do you use passphrases on per-device keys?
Do you re-use the passphrase across keys?
Do you forgo traditional ssh keys stored on the computer in favor of Yubikeys?
Do you have tools to help you manage which keys are on which hosts so you can retire or revoke them as necessary?

#SSH #InfoSec

Show threadBodilMay 1, 2025
@serge If you're doing per-device SSH keys, https://github.com/Foxboron/ssh-tpm-agent seems like a good idea.
GitHub - Foxboron/ssh-tpm-agent: :computer: ssh-agent for TPMs

:computer: :key: ssh-agent for TPMs. Contribute to Foxboron/ssh-tpm-agent development by creating an account on GitHub.

GitHub
Show threadSerge from Babka

@bodil

Interesting!

So then if I replace my laptop's motherboard, I need to generate new keys for it because now it's a new device.

That's okay (and maybe even good!).

Still have the challenges in key management, but this is a nice thing to check out! Thanks!

May 1, 2025 at 11:28amWeb