Is it okay to use a SSH key with an empty passphrase?
Solution 1:
A key with no passphrase is reliant upon nobody else being able to get at that key (who wouldn’t be able to get at the resources it gives access to anyway). So, if the key grants access to a machine next to it, and both machines have the same level of electronic and physical security, then it’s not really any big deal.
On the other hand, if your key is on a machine with poor security (perhaps it has many untrusted users, is easily physically accessible, or isn’t kept well up-to-date with its patching regime), then you probably don’t want to keep passphrase-less keys on there.
Ultimately, it’s down to confidence in your setup and weighing up the risks/costs of doing it — if you can be pretty confident that it’s not realistically easier for an attacker to gain access to the key than to the resource the key gives you access to, then you’re fine. If you don’t have that confidence, you should probably fix the reasons why :)
Solution 2:
another solution, enhancing security while making it easier on you, so you don't have to type your password all the time:
if you want to encrypt your private key, you can use ssh-agent on your workstation to 'cache' the unencrypted key. when you want to store your decrypted key, you run ssh-add ~/.ssh/id_rsa or whatever your private key is named. you will be prompted for the password, and the decrypted key will be available for your ssh connections until until you log out, kill ssh-agent or shutdown.
you can kill the stored keys with ssh-agent -k and you can assign a lifetime for the key to be in memory with ssh-agent -t [seconds] so for example; if you don't want to keep your key decrypted forever, but you want to do a lot of ssh-ing around your hosts, you can set the timeout to 5-10 minutes. so you don't have to continuously enter your key's password.
again, this all has to do with how confident you are of the security of your /workstation/, which, if you're the only one who has access to it, and you have a pretty secure local password, and you don't invite exploits and rootkits upon yourself, your passphrase-less private key is reasonably secure.
if you're like me, and you keep your private key on a thumb-drive, you are definitely going to want to encrypt that, even though it's just a private key (a separate one from which i use on my workstation, so if i lose my key, i can easily just remove the thumb-drive's public key from my server's ~/.ssh/authorized_keyslist, which also brings up an /excellent/ reason to add USEFUL comments to your public keys)
in your response to a previous answer, you said only people you trust have access to the machine with the keys. i just want to clarify that your private key does NOT need to be on the server you are connecting to, in case that is what you are doing. only your public key needs to be on the server, and that's a non-issue, which is why it's a 'public' key.
oh, i forgot to mention; i launch ssh-agent when i start X, otherwise the de-crypted keys i store with ssh-add aren't retained through different xterm sessions, and i have to re-enter the password every time i close the xterm i launched ssh-add in. in my ~/.xinitrc file, i have:
if [ -x /usr/bin/ssh-agent ]; then
eval $(/usr/bin/ssh-agent)
fi
i have the call to ssh-agent wrapped in eval because ssh-agent returns some environment variables that need to be set when it runs, and run from ~/.xinitrc, the environment variables are constant throughout the X session.