🔐 SSH Key Management Best Practices
SSH keys are fundamental to secure server access. This guide covers best practices for generating, managing, and securing your SSH keys.
Why SSH Keys?
SSH keys provide:
- Stronger security than passwords
- Convenience - no need to remember passwords
- Automation - enable scripted deployments
- Auditability - track who has access
Generating SSH Keys
Ed25519 (Recommended)
# Generate Ed25519 key (most secure, smaller)
ssh-keygen -t ed25519 -C "your_email@example.com"RSA (Compatibility)
# Generate RSA key (if Ed25519 not supported)
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"Key Storage
Your keys are stored in ~/.ssh/:
~/.ssh/
├── id_ed25519 # Private key (NEVER share!)
├── id_ed25519.pub # Public key (safe to share)
├── config # SSH configuration
├── known_hosts # Verified host fingerprints
└── authorized_keys # Keys allowed to connectSSH Config File
Simplify connections with ~/.ssh/config:
# Work server
Host work
HostName 192.168.1.100
User devops
Port 2222
IdentityFile ~/.ssh/id_ed25519_work
# Production server
Host prod
HostName prod.example.com
User deploy
IdentityFile ~/.ssh/id_ed25519_deploy
ForwardAgent no
# Jump host / Bastion
Host bastion
HostName bastion.example.com
User admin
IdentityFile ~/.ssh/id_ed25519
Host internal-*
ProxyJump bastion
User adminNow connect with:
ssh work
ssh prod
ssh internal-dbAdding Keys to Servers
# Copy public key to server
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server
# Or manually
cat ~/.ssh/id_ed25519.pub | ssh user@server "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"SSH Agent
Use ssh-agent to avoid typing passphrases repeatedly:
# Start agent
eval "$(ssh-agent -s)"
# Add key
ssh-add ~/.ssh/id_ed25519
# List loaded keys
ssh-add -lSecurity Best Practices
1. Use Strong Passphrases
# Your passphrase should be:
# - At least 20 characters
# - Mix of words, numbers, symbols
# - Unique (not used elsewhere)2. Protect Private Keys
# Set correct permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pub3. Rotate Keys Regularly
# Generate new key
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_2024
# Update authorized_keys on servers
# Remove old key from servers
# Update local config4. Use Different Keys for Different Purposes
| Purpose | Key File |
|---|---|
| Personal | id_ed25519_personal |
| Work | id_ed25519_work |
| Deployment | id_ed25519_deploy |
| Git | id_ed25519_github |
Auditing Access
Track who has access to your servers:
# List authorized keys on server
cat ~/.ssh/authorized_keys
# Find keys by comment/email
grep "user@example.com" ~/.ssh/authorized_keysQuick Reference
| Task | Command |
|---|---|
| Generate key | ssh-keygen -t ed25519 |
| Copy to server | ssh-copy-id user@host |
| Start agent | eval "$(ssh-agent -s)" |
| Add key to agent | ssh-add ~/.ssh/id_ed25519 |
| Test connection | ssh -T git@github.com |
⚠️ Warning: Never share your private key! If compromised, generate new keys immediately and remove the old public key from all servers.
Published: December 18, 2024