I did some annual SSH key housekeeping this week. Here are a few things you should probably do:
- Use the newer ed25519 keys, update them once a year
- Generate a key for each general use case / project
- Don’t be a muppet and have ssh keys in plain text on your laptop and in your backups
- Create a .ssh/config file, which points to your keys on an encrypted filesystem, which does not get mounted at boot time
Below are a few commands and examples to get you started.
Generate an ed25519 key, with your email address as a comment and save it to a key file for a project or company or some use case you might have:
ssh-keygen -t ed25519 -C 'email@example.com' -f swimgeek
Create an ssh config file for your keys and various servers, with user account, port and where the key lives.
Create a .ssh/config file
Host swimgeek-myserver myserver.swimgeek.com HostName myserver.swimgeek.com Port 2345 User joe IdentityFile /Volumes/crypt-fs/ssh/swimgeek Host projectabc-prod prod.projectabc.com HostName prod.projectabc.com Port 2567 User root IdentityFile /Volumes/crypt-fs/ssh/projectabc
Note that these keys are not in your home directory. They live on an encrypted filesystem, which is not mounted at boot time, and not backed up in plain text.
Install mosh and add an alias to your .zshrc
alias moshprod="mosh projectabc-prod"