DEV Community

spO0q
spO0q

Posted on

Security: move your SSH keys to an encrypted location

The problem

By default, the ssh-keygen command writes public/private keys in the ~/.ssh folder in clear text.

It can be stolen (e.g., manually or with a malicious script).

A concrete example

If you forgot to lock your session or if an attacker infects your computer with a malicious program (e.g. Trojan, infostealer), your SSH keys could be used to deploy malware or compromise critical instances.

Why this is necessary but not sufficient

As developers, we get advanced capabilities and permissions. Moving SSH keys to secure (encrypted) location is a good practice, but it should be combined with other measures for multiple layers of security.

Unmanaged SSH keys can put your organization at high risk.

While we only see one aspect of SSH key management here, it's an efficient measure, at least.

How to manage/protect your SSH keys

Moving SSH keys to an encrypted location may be hard to achieve. Fortunately, there are various solutions, like SSH key managers or secret managers.

In most cases, the idea is to store keys in an encrypted vault.

Wrap up

SSH keys are credentials. There's no reason to keep them unencrypted on your machine.

While nothing is bulletproof, especially against advanced threat actors, this measure can mitigate many attacks.

Top comments (0)