Security of ssh key passphrases - i.e. where to save them?

[Chris Green]

On Sun, Aug 18, 2024 at 11:32:37AM +0100, Colin Law wrote:
> On Sun, 18 Aug 2024 at 11:19, Chris Green <cl at isbd.net> wrote:
> >
> > One is always told that using an ssh key with a passphrase is more
> > secure than using password authentication.
> >
> > Yes, it is so in the context of the login process, however that isn't
> > the whole story.  Where/how do you save the passphrases so that if you
> > forget one you can retrieve it?  The 'safe' where they are saved needs
> > to be as secure as the ssh protocol if the security of the ssh
> > protocol itself is going to be of any use at all.
> >
> > So, what do others here do?
> 
> I use Bitwarden for storing all credentials.  So when used on a PC it
> is unlocked with a master passphrase, and on Android it is unlocked
> with my fingerprint.

So it's the "single point of failure" for you.  If someone works out
your passphrase or grabs your phone after you've unlocked Bitwarden
they can access everything.

I'm not saying it's the wrong way to go about it, it's basically one
of the approaches I described, but there are risks with it.


> The database is accessible from all your devices.

Isn't that in itself another risk?  Is the access from "all your
devices" as secure as ssh using a passphrase?

> It has browser plugins so that you can use it for user/pwd filling
> rather than the browser.  it recognises the url and offers the
> appropriate credentials for the page.
> It is excellent. I pay the $10/year for the premium version, but the
> free version may well be good enough for you.
> 
> I don't know whether it can interact with the command line for the
> particular situation you describe as I don't have that issue.
> 
Just about all my security relates to command line use.  I have
nothing on my 'phone worth stealing (no banking apps, no address list,
no passwords).  I do all my internet banking on my laptop and access
security information for that from my GPG safe storage.

-- 
Chris Green