undefined | Better HN

0 pointsvaylian2y ago0 comments

What about storing/backupping/managing passkeys versus SSH keys?

0 comments

4ad2y ago

It's the same, you should not store or backup SSH Keys.

carstenhag2y ago

So I should get locked out of all services when my device breaks?

dwattttt2y ago

You should produce a key per device, and produce a backup key that is safely stored & not used anywhere.

You can recover if you lose all devices via your break-glass backup key, and you limit the blast radius of "my key got stolen" from rotating all your keys to just a single device (or maybe the more likely "I screwed up and pushed my key somewhere public")

crote2y ago

... which is completely nonviable if you connect to more than a single service.

I agree that you should use a different key per device, but when you connect to over a dozen different services/machines it quickly starts to become a serious chore to add another key. Have fun spending an hour enrolling your new device - provided you can even remember every single usage it should be enrolled with.

1 more reply

red_trumpet2y ago

I have to store them on my disc, in order to use them tomorrow.

Spunkie2y ago

Oddly enough you don't. We've been storing our ssh keys(ed25519-sk) as resident keys for years now without issue.

So basically we've been storing ssh keys directly on yubikeys the same way passkeys are stored since before passkeys were a thing.

It seemed a clearly superior option compared to letting ssh private keys roam around on random computers.

tsimionescu2y ago

Sure, but then limits you to a handful of keys. The WebAuthn people don't like this, they want one key per service, so basically YubiKeys no longer really work with WebAuthn (unless you're fine with only ever using a max of 25 services).

redeeman2y ago

and then the real world comes knocking

fellerts2y ago

Can you elaborate on this? Why not?

j / k navigate · click thread line to collapse