Where to store private SSH keys?

dywan666

11/26/22, 10:08 AM

Looking for a "best-practices" kind of answer when it comes to storing private SSH keys.

Scenario: VMs are deployed to the cloud using Terraform, they use a single public key. Now the corresponding private key needs to be stored somewhere - where should it be kept? Cloud key management service (like Azure Key Vault, Hashicorp Vault)? It would be used for Ansible.

Should these private keys be added to the Vault using terraform or should it be done manually (to avoid listing them in .tfstate files)?

611

1 + 3

ssh

ssh-keys

ansible

Martin

11/26/22, 10:13 AM

You are ignoring one of the most common advices here: One private SSH key is for one host only, it is not supposed to be moved around. My suggestion would be to generate a new SSH key with every VM deployment together with the corresponding insert into the proper authorized_keys file.

dywan666

11/26/22, 10:25 AM

One private SSH key is most certainly used for deployments. I am not talking about casual user access. Imagine deploying 100 VMs to the cloud and managing 100 seperate SSH keys for Ansible connection. Come on, no one is doing that.

Martin

11/26/22, 11:03 AM

you asked for best practices; And one of those is simply not to move these keys around. Security always comes with a price, and you might have good reasons for ignoring such a best practice - But always be aware of the security risks you are taking.

Score:0

Server

Ravi Kumar CH

11/26/22, 10:19 AM

According to HashiCorp Documentation, the vault is the place to store the "SSH keys to connect to remote machines are shared and stored as a plaintext" More information here.

0 + 0