My Notes

How to use rotated SSH keys ?

Lubos Magat's photo
Lubos Magat

Rotating SSH keys is an important practice for maintaining security in systems that use SSH for remote access. The process involves creating new SSH key pairs and replacing the old ones. Here's a general guide on how to rotate SSH keys:

  1. Create a New SSH Key Pair:

    • On your local machine, generate a new SSH key pair using the ssh-keygen command. You can specify the type of key and the file in which to save the key.

    • Example: ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

  2. Add the New Public Key to the Server:

    • Transfer the newly generated public key (e.g., id_rsa.pub) to your server. You can use ssh-copy-id or manually append it to the ~/.ssh/authorized_keys file on the server.

    • Example: ssh-copy-id -i ~/.ssh/id_rsa.pub user@server

  3. Verify the New Key:

    • Test the new SSH key by logging into the server using the new key. Ensure that the connection works correctly with the new key.

    • Example: ssh -i ~/.ssh/id_rsa user@server

  4. Remove the Old Key:

    • Once you've confirmed that the new key works, remove the old public key from the ~/.ssh/authorized_keys file on the server. This step is crucial to ensure that the old key is no longer usable.

    • You can edit the file using a text editor or use a command to remove the specific line containing the old key.

  5. Update the Key in Other Services:

    • If the old key was used in other services or applications (like code repositories, cloud services, etc.), make sure to update them with the new key.

  6. Regular Rotation:

    • Key rotation should be a regular practice. Set a schedule to update your SSH keys periodically, such as every 6 months or annually, depending on your security requirements.

  7. Automating Rotation:

    • For environments with many servers or keys, consider using automation tools or scripts to streamline the key rotation process. This can help manage keys more efficiently and reduce the risk of errors.

  8. Revoking Old Keys:

    • If a key is suspected to be compromised, immediately revoke access by removing it from all servers and services. Quickly replace it with a new key to maintain access and security.

  9. Informing Team Members:

    • If you're working in a team environment, ensure all members are informed about the key rotation, especially if they need to update their keys or if shared keys are involved.

Remember, the security of your systems is only as strong as your key management practices. Regularly rotating SSH keys and keeping them secure (like using passphrase protection for the private keys) are essential parts of maintaining system security.

ssh