If someone obtains your SSH private key, it’s game over. Your adversaries will have an infinitely replay-able credential to access your systems.

It matters where you generate your key

You don’t want to use a shared system to generate your key, especially one where someone else has root. Don’t take any chances that you have exposed your private key from the very beginning.

It matters how you generate your key

When you generate an SSH key, always use a password to secure the private key. This is your last line of defence before someone else can use it. This password can be brute forced, so make sure to use a strong password, and don’t store it along side your key.

The industry standard cipher used for SSH keys is currently RSA. It is important that you specify a large bit size. RSA keys less than 2048 bits are considered weak, and you should probably double it to 4096.

Here is an example ssh-keygen command:

ssh-keygen -t rsa -b 4096

Avoid using the -N option as your password will be stored in your shell history.

ED25519 is another cipher generally considered to be more secure and faster than RSA, but you may run into some compatibility issues with older and embedded devices. I suggest using it if you can. See this great article by Risan Bagja Pradana.

It matters how you use your key

Now you have a key pair generated with a good cipher and bit size stored securely. Use ssh-copy-id to copy your public key to the correct location on the remote server. You should be very careful about moving your private key around. You should be the only one who can ever see it.

If you need to use your key throughout the day and don’t want to enter your key password every time, you can use ssh-agent. Just be aware that this loads the key into memory and the key can be read by anyone with root on your system.

Be careful about using ssh-agent forwarding. If your SSH client has key forwarding enabled, someone with root access on an intermediate system can hijack your session and access another system (thank you to Paul Aiton for the correction). Marc Wickenden has done a neat writeup on this.

If you’re really paranoid

This may be overkill for most users, but it does provide extra security an prevent mistakes. In some companies, this is standard practice. You can store your key on external offline storage like a USB flash drive, preferably one with a physical keypad like an Aegis Secure Key. Another option is to use a YubiKey. There’s an awesome tutorial on how to do this by Adam Hawkins. When generating your key, write it directly to the device with the -f option.

Spread the word

Everyone who uses SSH keys should practice good key hygiene. I’ve been shocked how many people have sent me their private key by email or use DSA encrypted keys. If you have any further insights on the subject, please let us know in the comments.