Score:0

Where to store private SSH keys?

hu flag

Looking for a "best-practices" kind of answer when it comes to storing private SSH keys.

Scenario: VMs are deployed to the cloud using Terraform, they use a single public key. Now the corresponding private key needs to be stored somewhere - where should it be kept? Cloud key management service (like Azure Key Vault, Hashicorp Vault)? It would be used for Ansible.

Should these private keys be added to the Vault using terraform or should it be done manually (to avoid listing them in .tfstate files)?

Martin avatar
kz flag
You are ignoring one of the most common advices here: One private SSH key is for one host only, it is not supposed to be moved around. My suggestion would be to generate a new SSH key with every VM deployment together with the corresponding insert into the proper authorized_keys file.
dywan666 avatar
hu flag
One private SSH key is most certainly used for deployments. I am not talking about casual user access. Imagine deploying 100 VMs to the cloud and managing 100 seperate SSH keys for Ansible connection. Come on, no one is doing that.
Martin avatar
kz flag
you asked for best practices; And one of those is simply not to move these keys around. Security always comes with a price, and you might have good reasons for ignoring such a best practice - But always be aware of the security risks you are taking.
Score:0
br flag

According to HashiCorp Documentation, the vault is the place to store the "SSH keys to connect to remote machines are shared and stored as a plaintext" More information here.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.