0

Looking for a "best-practices" kind of answer when it comes to storing private SSH keys.

Scenario: VMs are deployed to the cloud using Terraform, they use a single public key. Now the corresponding private key needs to be stored somewhere - where should it be kept? Cloud key management service (like Azure Key Vault, Hashicorp Vault)? It would be used for Ansible.

Should these private keys be added to the Vault using terraform or should it be done manually (to avoid listing them in .tfstate files)?

Improve this question
3
  • You are ignoring one of the most common advices here: One private SSH key is for one host only, it is not supposed to be moved around. My suggestion would be to generate a new SSH key with every VM deployment together with the corresponding insert into the proper authorized_keys file.
    – Martin
    Jul 26, 2021 at 10:13
  • 1
    One private SSH key is most certainly used for deployments. I am not talking about casual user access. Imagine deploying 100 VMs to the cloud and managing 100 seperate SSH keys for Ansible connection. Come on, no one is doing that.
    – dywan666
    Jul 26, 2021 at 10:25
  • you asked for best practices; And one of those is simply not to move these keys around. Security always comes with a price, and you might have good reasons for ignoring such a best practice - But always be aware of the security risks you are taking.
    – Martin
    Jul 26, 2021 at 11:03

1 Answer 1

Reset to default
1

According to HashiCorp Documentation, the vault is the place to store the "SSH keys to connect to remote machines are shared and stored as a plaintext" More information here.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .