SSH Key Reuse Advice

So this is not a very specific question, but how do people reuse their SSH keys? I mean, I wanted to set up a GitHub account. I also have a key pair for logging into a machine at home remotely. Now, maybe I did not massage my Google search terms correctly, but is considered poor form to use the same key pair for the convenience factor? I know security people will probably yell "HELL NO" at me, but how do you sysadmins handle this in practice?


Two key questions to ask yourself:

  1. How secure is your private key?

  2. How critical are the systems you're logging in to?

The first question is the most important: If your private key is safe -- e.g. stored only on one secure machine where nobody has physical access but you, with a paranoid firewall between it and the internet whenever it's connected -- you can reuse your key.
(If your private key is not safe you have bigger problems to deal with.)

The second question relates to "do you want to reuse a key -- I personally have 3 SSH keys:

  • My Personal key, which gets me into my personal servers.
  • My Work key, which gets me into Work machines.
  • My "SSH Services" key, which gets me into GitHub and the like.

If any one of these keys gets compromised the amount of damage is limited (as is the amount of re-keying required: I only have to change authorized_keys lists on systems affected by the compromised key (for example if my personal key somehow gets compromised I don't have to worry about work machines being broken into).

In practice the keys are only as secure as the machine/media holding the private half (my work private key is on an encrypted USB stick -- If I need it I have to mount that device first, while my personal and "Services" keys are both in ~/.ssh on my laptop -- A compromise of my Work systems would be more devastating than someone deleting all my personal email...)


As configuring and managing several keys using ~/.ssh/config is easy and straightforward, I create always new keys and always with password for different connections or hosts, as long as these are external hosts.