Long Lived SSH Keys Considered Harmful

Disclaimer: This advice goes for any credential, including and especially passwords

tl;dr: You should, at regular intervals, change out and retire old SSH keys.

SSH keys are dangerous

An SSH key should be considered a short-lived resource and as such and should be refreshed periodically. Here are a few reasons why:

• They can be compromised
• They are highly privileged
• They can be automatically generated
• They can easily be replaced on many services

Refreshing your SSH keys has the added benefit of following the Let’s Encrypt School of Critical Process Management:

The important things should be performed at regular intervals to keep institutional memory of the process fresh and resilient against irregular but inevitable failures like employee turnover.

I am paraphrasing the above, but its definitely a philosophy they follow.

This goes for any long-lived highly privileged credential. Passwords too. Even if you practice good password management you should still cycle out your passwords. This is annoying to do when you try to commit your passwords to memory, but if you are practicing good management, it becomes no bigger an issue than just copy and pasting your password.

Side Notes

You should use different SSH Keys for each service, much like how you should use different passwords for each service. ~/.ssh/config supports this to make it easy.

While we’re talking about good SSH hygiene, when you create a key you should encrypt it with a passphrase. But be sure to use -o. Don’t accept the defaults.

Also you should use some kind of proper key storage, because any old userspace process on your system can read your ~/.ssh directory. Do you trust your development machine? You probably shouldn’t.