What is SSH Key Management?
The blog post is intended towards someone new to SSH key management. Do you have just one SSH key pair? Do you have
multiple key pairs? What are some pros and cons of having single or multiple key pairs? The post answers such questions
about SSH key usage in practice.
So, someone walked up to you or in a video call asked for your SSH public key?
It’s a common practice to allow access to Linux servers over SSH using cryptographic keys. There are various situations
that lead to various techniques of handling them.
Pr-requisites And Assumptions
The blog post assumes that you already know how to access SSH servers using a private key. Perhaps you have already
been using SSH with the private keys provided by your company.
Step 1: Generate An SSH Key Pair
If you do not already have an SSH key pair, generate one using the
ssh-keygen command. There are a few algorithms
and key size choices. Currently, I am recommending the
EdDSA signature scheme.
ssh-keygen -t ed25519 -C "firstname.lastname@example.org"
The command will prompt you to type the passphrase. It is possible to have an empty passphrase, but it is highly
discouraged. Use a strong passphrase. Every time you want to use your SSH key to logon to a remote server, you will
need the passphrase. Utilities such as key rings make it easy to utilize the private key by storing your passphrase on
your computer in a secure manner. For convenience, you might want to use the key ring service offered by your operating
The above command generates a key pair. The key pair has two files:
Pay attention to the command output, especially to the file paths.
It is possible to add a passphrase to an existing private key without a passphrase. If for some reason, you have a
private key without a passphrase, add a passphrase to it. See man
Step 2: Backup
Try not to lose the key pair. You can distribute the public key publicly. For example, you can put it up on your
website or Github profile. Ensure you back-up your private key to a
secure vault. Losing private key can sometimes lock you out of critical
The next time someone asks for your SSH public key, hand them out your public key file. Or simply point them to the
URL where you have published your public key.
Never ever share your private key or passphrase with anyone. As the name suggests, it is the private key. Keep it
private and keep it to yourself.
Mixing Personal And Company Keys Is Bad
Why? If you have two keys and if one of them is compromised the other can still be used. In other words, using the
same key for both personal and company access is bad. Of course not for every situation. Therefore, treat this is a
rule of thumb. Some identity management features of some applications and platforms require you to have a unique key
per account. Such platforms will force you to use a unique per account on their platform. One such example is Github.
If you work with more than one company or many unrelated projects within a company, you might want to use a unique key
pair per company. Repeat the same steps mentioned above to create and safeguard the keys for all your projects.
Keeping company and personal keys separate leads to peace of mind. Thank me later.
Too Many Keys Problem
If you use a keyring service such as GNOME keyring, you will encounter this problem. Let’s say you have ten keys and
add them all to the keyring. When you attempt to access an SSH server, SSH client will try the keys one by one in the
keyring. There’s a good chance the SSH server will block your connection. To mitigate the problem you may have to stop
Edwards-curve Digital Signature Algorithm article on Wikipedia.