How to safely store and handle SSH/PGP keys?

I have an SSH key that I use to commit changes to GitHub repos, but it makes me uneasy to have the private key just sitting there, unencrypted, on my computer.

I mean, many programs have read/write permissions, couldn’t they, in theory, contain malicious code that would exfiltrate any private keys on the file system?

I could generate keys with passphrases, but it’s inconvenient to have to type it in every time i want to do a commit.

I guess this also applies to PGP keys.

So, are there any safer ways to store and handle private keys?

1 Like

As you suggest later, use a passphrase to encrypt/decrypt it and set strict permissions (e.g., chmod 400).

As always, it is recommend to use a password manager for your passphrases. So, you only have to unlock your password manager once, and then you can just copy & paste (or auto-type) your SSH passphrase.

The same applies to OpenPGP keys: Use passphrases to encrypt/decrypt the keys.


Besides, you could deploy security keys like YubiKeys to generate and store the private key on them. There is no way to steal your key in this case.

2 Likes

Yes, a security key would be the most convenient solution. I’ll consider getting one. Thank you for the answer!

1 Like