Index

SSH key management: Security best practices

Greg Foster
Greg Foster
Graphite software engineer
Try Graphite

Table of contents

Secure Shell (SSH) keys are fundamental for authenticating access to remote systems, especially in development and operations environments. Proper SSH key management is crucial to prevent unauthorized access and maintain system integrity. This guide outlines best practices for managing SSH keys, ensuring robust security, and introduces tools like Graphite that facilitate effective key management.

Understanding SSH keys

SSH keys operate on a public-private key pair mechanism:

  • Public Key: Shared with the server to grant access.
  • Private Key: Kept secret on the client side; it must be protected diligently.

When a client initiates a connection, the server uses the public key to verify the client's identity, allowing secure, password-less authentication.

Best practices for SSH key management

1. Generate strong, unique keys

Utilize modern algorithms like ed25519 for generating SSH keys, as they offer enhanced security and performance. Avoid outdated algorithms such as DSA.

Terminal
ssh-keygen -t ed25519 -C "your_email@example.com"

Always protect private keys with a robust passphrase to add an extra layer of security.

2. Assign keys to individual users

Each user should have a unique SSH key pair. Avoid sharing keys among multiple users to maintain accountability and simplify key revocation when necessary.

3. Implement key rotation policies

Regularly rotate SSH keys to minimize the risk of compromised credentials. Establish a rotation schedule (e.g., every 90 days) and automate the process using configuration management tools.

4. Remove unused or orphaned keys

Periodically audit your systems to identify and remove SSH keys that are no longer in use or whose owners have left the organization. This reduces potential entry points for unauthorized access.

5. Enforce the principle of least privilege

Grant users the minimum level of access necessary for their roles. Restrict SSH key access to specific systems and directories to limit potential damage from compromised keys.

6. Secure private key storage

Store private keys in secure locations with appropriate permissions. Avoid placing them in shared directories or repositories. Consider using hardware security modules (HSMs) or secure key vaults for added protection.

7. Monitor and log SSH key usage

Implement logging mechanisms to track SSH key usage across your infrastructure. Monitoring helps detect unusual activities and potential security breaches promptly.

Proper SSH key storage techniques

Ensuring the secure storage of SSH keys is vital:

  • Local storage: Keep private keys in the ~/.ssh directory with strict permissions (chmod 600).
  • Encrypted storage: Use encrypted file systems or tools like ssh-agent to manage keys securely.
  • Hardware tokens: Employ devices like YubiKeys for storing SSH keys, adding a physical layer of security.
  • Cloud key management services: Leverage services like AWS KMS or Azure Key Vault for centralized and secure key storage.

Configuring SSH keys for Graphite CLI

1. Generate a new SSH key pair

Use the ed25519 algorithm for enhanced security and performance:

Terminal
ssh-keygen -t ed25519 -C "your_email@example.com"

When prompted, accept the default file location (~/.ssh/id_ed25519) and set a strong passphrase for added security.

2. Add the SSH key to the SSH agent

Start the SSH agent and add your private key:

Terminal
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519

3. Add your SSH key to your GitHub account

Copy your public key to the clipboard:

Terminal
# macOS
pbcopy < ~/.ssh/id_ed25519.pub


# Linux (requires xclip)
xclip -sel clip < ~/.ssh/id_ed25519.pub


# Windows PowerShell
Get-Content ~/.ssh/id_ed25519.pub | Set-Clipboard


# Any platform (manually copy the displayed output)
cat ~/.ssh/id_ed25519.pub

Then, log in to GitHub, navigate to Settings > SSH and GPG keys, click New SSH key, paste your key, and save.

4. Configure git to use SSH

Ensure your Git remote URL uses SSH:

Terminal
git remote set-url origin git@github.com:username/repository.git

Replace username and repository with your GitHub username and repository name.

5. Integrate SSH keys with Graphite

Run the Graphite CLI configuration:

Terminal
gt config

In the interactive menu:

  • Set the Git remote name (usually origin).
  • Verify that Graphite correctly infers your repository name and owner from the SSH URL.

This configuration ensures that Graphite utilizes your SSH settings for seamless Git operations.

Conclusion

Effective SSH key management is essential for maintaining the security and integrity of your systems. By adhering to best practices—such as generating strong keys, enforcing individual key assignments, rotating keys regularly, and securing key storage—you can mitigate risks associated with unauthorized access. Tools like Graphite further simplify the management process, providing automation and centralized control to bolster your security posture.

Related guides

Smartlog

Smartlog is a central feature in Sapling, designed to offer users a more digestible view of their lo...

git push -u

Working with Git, a widely used version control system, developers often encounter errors that can d...

Phabricator adoption and eventual deprecation

Phabricator, once a prominent figure in the landscape of development tools, has seen widespread adop...

Last modified 28 days ago

0 min read
On this page
Share
Git inspired
Graphite's CLI and VS Code extension make working with Git effortless.
Learn more

Built for the world's fastest engineering teams, now available for everyone

Request a demo
Start free trial