SSH is an essential tool in my daily personal and professional tasks. From using Git, connecting to remote machines, managing servers with Ansible, and more, SSH is indispensable.
Separating Keys for Different Purposes
I follow a strict policy of using different SSH keys for different purposes:
This separation ensures better security and minimizes potential risks.
The Problem with Storing Keys in .ssh
In the past, I saved all my SSH keys under $HOME/.ssh/. This practice worked fine until I learned about a malicious npm package that was capable of stealing SSH keys. Although I protected my keys with passphrases, this news left me uneasy. To mitigate the risk, I decided to add an extra layer of security.
Enter KeePassXC and SSH Agent Integration
To enhance the security of my SSH keys, I started using KeePassXC with its SSH agent integration. Here’s how it works:
This setup gives me peace of mind. While I understand that everyone’s threat model is different, this system works perfectly for me.
Balancing Security and Convenience
Security often comes with trade-offs in convenience. For example, to SSH into a server, I need to:
While this process adds a few extra steps, I find the security benefits far outweigh the inconvenience.
Leveraging Ed25519-SK Keys for Enhanced Security
A recent improvement in OpenSSH is the support for ed25519-sk keys. These keys are stronger because they are bound to hardware security devices like YubiKeys. Even if an attacker somehow obtains the private key, they would also need physical access to my YubiKey to use it.
Final Thoughts
By separating my SSH keys, storing them securely in KeePassXC, and utilizing modern features like ed25519-sk keys, I’ve significantly improved the security of my workflow. While the added steps may seem cumbersome to some, I’ve found this approach provides the right balance of security and usability for my needs.