Linux – Copy ssh key or create a new one

linuxsshvps

I have a desktop and laptop that I use for development. I generated an ssh key on the primary machine (desktop) to my vps which uses a passphrase. In terms of best practices or security concerns, is it better to generate a new ssh key on my laptop to the same vps, or should I just copy the ssh keys from the desktop to the laptop.

Everything i've read on the topic simply explains how to copy ssh keys from one computer to another. I haven't seen anything explaining the pros/cons of generating a new key vs copying an existing one. (both machines are used solely by me).

Best Answer

I agree with https://unix.stackexchange.com/questions/208495/ssh-key-authentication-with-multiple-computers. You can do any one, but each one has its pros and cons.

I would prefer to create a new SSH private key for every trusted machine. That way, if one is compromised only the key for that machine needs replacing. Copying private keys around could also increase the chance of somebody else getting access to it. It basically becomes a single point of failure. There is a reason why sites like BitBucket recommend their users to replace their SSH keys every year.

Related Solutions

SSH Key – How to Create a Public Key from a Private Key

Use the -y option to ssh-keygen:

ssh-keygen -f ~/.ssh/id_rsa -y > ~/.ssh/id_rsa.pub

From the 'man ssh-keygen'

 -y      This option will read a private OpenSSH format file and print an
         OpenSSH public key to stdout.

Specify the private key with the -f option, yours might be dsa instead of rsa. The name of your private key probably contains which you used. The newly generated public key should be the same as the one you generated before.

Ssh – Should I create a new private ssh key on each system

If you use the same public key on each system and the private key becomes compromised, then any system using that key, barring other restrictions, will be accessible.

I trust you are using password protected private keys?

In our management practice, we have low, medium and high security "roles". Each role uses a different key. High security private keys are never to be transmitted to external assets, used on laptops that could be lost/stolen, etc. Medium and low security keys can be deployed in a wider range of scenarios.

I suggest examining your usage patterns and see what makes since in terms of security roles. What is the damage done by getting your private key?

Have you considered placing your SSH private key onto a hardware device from which it cannot be stolen, removing the potential compromise of the key into a non-issue?

Both hardware security modules and smart cards can be used to store SSH private keys in a secure manner, enabling all cryptographic operations to be performed on the device, rather than on your operating systems. However, they are not a panacea, as these require backup hardware devices also, in case of a hardware failure.

Best Answer

Related Solutions

SSH Key – How to Create a Public Key from a Private Key

Ssh – Should I create a new private ssh key on each system

Related Topic