Keeping track of SSH private keys without comments

SSH public keys support comments (which simply consist of text appended to the end of the key), which makes it easy to identify an otherwise unidentifiable id_rsa.pub file. You can use the comment to store information such as who the key belongs to, when it was created, and what machine it's for.

Private keys appear to lack this feature. ssh-keygen -C comment will generate a keypair with the comment appended to the public key, but the private key will remain uncommented. ssh-keygen has a -c argument that "requests changing the comment in the private and public key files", but

root@kitsune:~# ssh-keygen -c -f id_rsa
Comments are only supported for RSA1 keys.

So it would appear that the SSH2 private key format has no comment field. This is mostly fine as long as one keeps the pair of keys together and in the right place, but the files can get copied and moved around (which might happen when accounts/machines share a key) or overwritten accidentally, and they all have the same name (id_rsa), so one can lose track of which key is which. In the absence of commenting, what are the best practices for keeping private keys organized?


Solution 1:

Storing the private key with public one gives you the opportunity to see the comment stored in the public part using the command below, but I see that it is not what you want. There is no way to store comment in the key itself (as you already mentioned).

$ ssh-keygen -lf ~/.ssh/id_rsa
2048 SHA256:abcdef[...] [comment] (RSA)

files can get copied and moved around

This is really bad idea. You don't want your private data moving around. In ideal case, you should have one key pair per device from where you are connecting. If you need more keys on the client, I would go with different naming, such as id_rsa-private-github (with appropriate naming of public part). With proper configuration in ~/.ssh/config and/or ssh-agent, there is no flaw in this set up.