Security of ssh key passphrases - i.e. where to save them?

Sun Aug 18 11:11:55 UTC 2024

On Sun, 18 Aug 2024 at 11:46, Chris Green <cl at isbd.net> wrote:
>
> On Sun, Aug 18, 2024 at 11:32:37AM +0100, Colin Law wrote:
> > On Sun, 18 Aug 2024 at 11:19, Chris Green <cl at isbd.net> wrote:
> > >
> > > One is always told that using an ssh key with a passphrase is more
> > > secure than using password authentication.
> > >
> > > Yes, it is so in the context of the login process, however that isn't
> > > the whole story.  Where/how do you save the passphrases so that if you
> > > forget one you can retrieve it?  The 'safe' where they are saved needs
> > > to be as secure as the ssh protocol if the security of the ssh
> > > protocol itself is going to be of any use at all.
> > >
> > > So, what do others here do?
> >
> > I use Bitwarden for storing all credentials.  So when used on a PC it
> > is unlocked with a master passphrase, and on Android it is unlocked
> > with my fingerprint.
>
> So it's the "single point of failure" for you.  If someone works out
> your passphrase or grabs your phone after you've unlocked Bitwarden
> they can access everything.

Yes, though on the phone they would have to know what they were doing,
because if they let the phone go to sleep they would be stuck. A
random passer by taking my phone would not achieve anything.

>
> I'm not saying it's the wrong way to go about it, it's basically one
> of the approaches I described, but there are risks with it.

Indeed, there is no risk free solution. I could be physically forced
to unlock the phone with my finger, or into giving the master
passphrase.

>
>
> > The database is accessible from all your devices.
>
> Isn't that in itself another risk?  Is the access from "all your
> devices" as secure as ssh using a passphrase?

I don't understand your point.

>
> > It has browser plugins so that you can use it for user/pwd filling
> > rather than the browser.  it recognises the url and offers the
> > appropriate credentials for the page.
> > It is excellent. I pay the $10/year for the premium version, but the
> > free version may well be good enough for you.
> >
> > I don't know whether it can interact with the command line for the
> > particular situation you describe as I don't have that issue.
> >
> Just about all my security relates to command line use.  I have
> nothing on my 'phone worth stealing (no banking apps, no address list,
> no passwords).  I do all my internet banking on my laptop and access
> security information for that from my GPG safe storage.

Bitwarden is just an alternative to GPG safe storage, with some
advantages and maybe disadvantages, I don't know.

Colin L