When working across Windows, Linux, and macOS systems, SSH key management becomes crucial for both security and convenience. The fundamental question is whether to:
- Generate unique key pairs per machine
- Reuse a single key pair across devices
Using separate keys for each machine provides better security granularity. If one machine is compromised, you can revoke just that specific key without affecting others.
# Generating unique keys per device (Linux example)
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_devicename -C "user@devicename"
For those preferring a single key pair, here's a secure deployment method:
- Generate the key on your most secure machine
- Use encrypted transfer methods (like GPG) to move the private key
- Set strict permissions (600 for private key)
# Secure key transfer example
gpg --encrypt --recipient your@email id_rsa
scp id_rsa.gpg othermachine:~/.ssh/
For teams or individuals managing multiple keys, consider these patterns:
# Sample ~/.ssh/config for multi-key management
Host server1
HostName server1.example.com
User deploy
IdentityFile ~/.ssh/id_ed25519_laptop
Host server2
HostName server2.example.com
User admin
IdentityFile ~/.ssh/id_ed25519_desktop
For frequent machine changes, consider these tools:
- Ansible playbooks for key distribution
- Secret management tools like HashiCorp Vault
- Encrypted cloud storage with versioning
Regardless of approach, implement regular key rotation:
# Key rotation checklist
1. Generate new key pair
2. Add new public key to servers
3. Test connection
4. Remove old public key
5. Securely delete old private key
When working across Windows, Linux, and macOS systems, SSH key management becomes crucial for both security and convenience. The fundamental question is whether to:
- Generate unique key pairs for each machine
- Use a single key pair across all devices
From a security perspective, unique keys per machine provide better compartmentalization. If one machine gets compromised, you only need to revoke that specific key rather than all access. However, this creates management overhead.
# Generating unique keys per machine ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_workstation1 -C "user@workstation1" ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_laptop -C "user@laptop" ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_mac -C "user@macbook"
For many developers, using a single strong key pair across machines offers practical advantages:
- Simpler deployment to new machines
- Easier key rotation when needed
- Consistent access control
Here's how to securely transfer keys between machines:
# On source machine: cat ~/.ssh/id_ed25519.pub | ssh user@newmachine "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys" # Set proper permissions: ssh user@newmachine "chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys"
For teams or complex setups, consider these professional approaches:
SSH Agent Forwarding
# In ~/.ssh/config Host jumpserver HostName jumpserver.example.com ForwardAgent yes IdentityFile ~/.ssh/id_ed25519
Using a Password Manager for Key Storage
Store encrypted private keys in password managers like Bitwarden or 1Password, then decrypt when needed:
# Example decryption workflow gpg --decrypt ~/.ssh/id_ed25519.asc > ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519
For quick setup on new machines, create a bootstrap script:
#!/bin/bash # deploy_ssh_keys.sh KEY_URL="https://secure.example.com/keys/user_ed25519" mkdir -p ~/.ssh curl -s $KEY_URL | gpg --decrypt > ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 ssh-keygen -y -f ~/.ssh/id_ed25519 > ~/.ssh/id_ed25519.pub
Regardless of your approach, implement regular key rotation:
# Rotating keys example ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_new -C "user@$(hostname)" ssh-copy-id -i ~/.ssh/id_ed25519_new.pub user@server # Test new key, then update all machines
Remember to update all authorized_keys files on servers when rotating shared keys.