* Benedict Verheyen (linux4bene@pandora.be) [020806 08:21]: > Hi, > > i have a question on security with regards to key pairs. > > I have created a keypair on my server so i can log on to me server from > my pc. Do i leave the keypair in ~/.ssh or do i move them (especially > the private key)? What is regarded as being a safe medium? CD-RW or > anything not connected to the server i guess? As someone else indicated: the private key should only be on your local machine. The server to which you are connecting only gets the public key. The public key is listed in ~/.ssh/authorized_keys . That is all that is needed on the server. See below for discussion of non-HD storage of the key. > Same question could go for gnugp. I've only tested this with WinPT on > my win machine at work. I suppose that once the keypair is generated, > it would be safer to move the private key to another medium or do you > leave the pair on the win 'puter. Well, if you don't need it there, why did you generate it? ;-) If it's convenient for you to pop in a CD every time you need to decrypt or sign something (or log in anywhere, if we're talking about an SSH key), *and* that that CD won't just be in the drive when someone roots your box and/or the feds come and take it away, then yeah, I guess it's better. If you just leave that CD in the drive anyway, you don't gain a whole lot. > I suppose encrypting the ssh key pair on the disk/cd where i would > keep them would be overkill :-) ? Yeah, I'd say so. Just use Good passphrases on your private keys. Mutliple encryptions add obscurity, but not necessarily security. good times, Vineet -- http://www.doorstop.net/ -- Satan laughs when we kill each other. Peace is the only way.
Attachment:
pgpEIg21ULQjR.pgp
Description: PGP signature