Security of ssh key passphrases - i.e. where to save them?

[Chris Green]

One is always told that using an ssh key with a passphrase is more
secure than using password authentication.

Yes, it is so in the context of the login process, however that isn't
the whole story.  Where/how do you save the passphrases so that if you
forget one you can retrieve it?  The 'safe' where they are saved needs
to be as secure as the ssh protocol if the security of the ssh
protocol itself is going to be of any use at all.

So, what do others here do?

Do you have one passphrase that unlocks everything when you log in and
make it something that you can remember without saving it anywhere?
The risk here is that anyone guessing/shoulder-surfing your passphrase
will get access to absolutely everything.

Alternatively do you have different passphrases for different systems,
especially those which have more sensitive information on them? In
this case you (well I anyway!) need to save them somewhere in order to
retrieve one if it's forgotten.

I take (sort of) the second approach and save keys in storage
protected by GnuPG. However I do wonder if (in my case) this is
actually the weakest link.


-- 
Chris Green