ubuntu core - best practice for backup public/private keys

we are testing to use Ubuntu Core for our IoT sensor/control devices

I was trying to emulate a situation, where if a key is compromised, what is the best practice for the ssh key pair. In all the examples, the instruction is to create only one pair. In case of a compromise, one would want to immediately delete the compromised key first.

I used the following method to create 2 key sets - one as main and second as backup.

In the ubuntu SSO, created two keys - similar to main and backup. Installed Ubuntu core from scratch in the RPi. When I logged in for the first time, it got both the public keys from the SSO server.

I was then able to ssh with each key separately. This way, one can log into the device using the backup key and delete the compromised key.

Hope this helps for someone.

However, if there is a better way, I would like to know.

In my opinion, the more keys you have on the device, the wider the attack surface. Only one key needs to leak, and now you have more that CAN leak.

In some situations that makes sense, but I'm not sure what you're gaining in the scenario you described. If SSH key A is compromised, someone with that key can gain access to the device. Period. SSH key B, which also has access to the device, isn't in the picture at all. So using SSH key B to gain access to the device to "revoke" SSH key A doesn't make a lot of sense. The fact that SSH key A is compromised obviously doesn't make it useless. You could just as easily ONLY use SSH key A, and use it again to gain access to the device and swap it out for SSH key B in the event of a compromise. Then you only ever have one key with access to the device. Same security model you have now, but your attack surface isn't as wide.

It would be even better if Ubuntu Core provided a way to refresh the keys on the devices linked to your SSO account (that would help with the lost-key scenario as well), but I don't believe that functionality exists today (see LP #1646559).