(no title)
craftkiller | 8 days ago
That's only true when your machine is powered off. If an attacker manages to yank files from your disk while it is running, that ssh-key password is the difference between "they stole my ssh key" and "they stole worthless random data".
> use hardware key for ssh
That's the real solution. I don't understand why people still store ssh keys on disk when hardware keys are simple, easy, and significantly more secure.
bubblewand|8 days ago
At work, every place big enough to maybe care about this was so “enterprisey” and “cloudy” that I almost never use/used ssh anyway, even with tons of Linux systems all over the place. Pretty much only to talk to GitHub.
I lose stuff all the time. The idea of these things gives me anxiety. The first time I lost 15 minutes figuring out where I put my hardware key, before I could ssh in to do 20 seconds of running commands, I’d back out of the whole project and return to using a file on disk, guaranteed.
Files on disk are free, hardware keys cost money.
25 years as a backend-heavy programmer, sysadmin, and devops-sort (sometimes all at once, lol). I’ve still never even touched one of these devices, and have only rarely seen one.
craftkiller|7 days ago
Do you lose your keys? I just keep my main yubikey on my keychain. Never gets lost or else I'd be homeless. I keep a 2nd backup key in a secure place just in case, so I don't get locked out of my accounts if I get struck by lightning.
> hardware keys cost money
Barely. You can get u2f keys for $10-$20 which are usable with ssh. My yubikeys were $50 each (I have 2, one main key and one backup) which adds up to $100 but yubikeys are built like tanks, they'll last forever. I've had mine for the past 7 years and I have no reason to replace them. That's only $14/year so far for the pair of keys. Totally worth it for the knowledge that I could load every virus/trojan/keylogger known to man onto my computer and they still would be completely unable to steal my ssh+pgp keys.