Serge from BabkaMay 1, 2025

Every decade or so the recommendations on best practices change, so I'm curious on the current best practices around SSH keys stored on a device (eg a laptop).

If we believe that the best practice currently is to have a new private key per client device (ie for each laptop, desktop, or phone) that one connects to a server from, then that opens the question in my mind of what are folks doing for passphrases for these keys.

Obviously the ideal would be very strong, unique passphrases per device, but then if one has 4+ devices, this can get fairly challenging to remember.

Do you use passphrases on per-device keys?
Do you re-use the passphrase across keys?
Do you forgo traditional ssh keys stored on the computer in favor of Yubikeys?
Do you have tools to help you manage which keys are on which hosts so you can retire or revoke them as necessary?

#SSH #InfoSec

Show threadSerge from BabkaMay 1, 2025

I'm going to give some unsolicited thoughts on this beyond my own question in hopes someone tells me why I'm wrong.

I think per client-device keys are the right approach. If your laptop is lost or stolen, then this should make it easy to revoke that keypair.

The problem is we don't seem to have good tooling around revocation. If my laptop is stolen, I want to be able to revoke that key quickly and easily. Similarly I want to be able to quickly and easily introduce a new keypair for a new device, eg "I got a new laptop. Let me run this script where I use existing keys to validate the propagation of my new public key"

1/2

#Infosec

Show threadSerge from BabkaMay 1, 2025

Where I get a little controversial is that I believe SSH key passphrases are almost an anti-pattern. Their function is to decrypt the actual ssh key. Belt and suspenders is great. Having a second factor needed to use your SSH key is a nice idea if your laptop isn't properly screen/keyboard locked, but if it is, then the passphrase doesn't add any additional security. Reusing it shouldn't even be a problem *if you can revoke keys*.

Keys stored on physical hardware (ie Yubikeys) is better, and you can still get that second factor by using a PIN, but they're less convenient in other ways. You must always have two hardware devices in case one is lost or destroyed, and even then you can't just magically plug them into a new computer- you have to set up your SSH client to use the key.

Maybe someone will tell me you should use your phone as a Smartcard?

The key management is the real problem. We don't have good key management tools to help us manage these keys

2/2

#Infosec

Show threadnaphtali
@serge and what do you think about storing the key in the password manager? Both Bitwarden and keepassxc have implemented ssh-agent
May 1, 2025 at 12:19pmWeb
Show threadviqMay 1, 2025
@naphtali
That effectively becomes a single key shared by all machines that can access the password manager (whether you control those machines or not).
@serge
Show threadSerge from BabkaMay 1, 2025

@naphtali

The real issue here is traceability and revocability.

Instead of SSH keys, let's imagine we just had bearer tokens.

We'd want to separate out the tokens where possible.

The same here.

You could use the password manager to keep track of the passphrase though.

@viq