LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   pgp/openSSH/etc, should I use a single public/private key pair or different ones? (http://www.linuxquestions.org/questions/linux-security-4/pgp-openssh-etc-should-i-use-a-single-public-private-key-pair-or-different-ones-891722/)

Cultist 07-14-2011 11:08 AM

pgp/openSSH/etc, should I use a single public/private key pair or different ones?
 
Something I've been wondering about. I have a few different things that use keys. Off the top of my head, I can think of my phone's SSH client, email client, and PGP client, and two computers' email clients, IM client, and IIRC VPN client.

Would it be better to use a single secret/public pair and export it to each thing that requires, or to generate a separate pair for each application? Is there any particular advantage to using separate ones instead of a single pair?

Noway2 07-14-2011 02:50 PM

One big disadvantage that I can think of reuse is that if one becomes compromised or gets revoked, you have lost all of them. If you use a password, which gets recursed into the key, and someone gets the password, they would then also have access to all of these services.

Aside from that, I suspect that there are some differences in the key style and format for the different applications, but I am not as knowledgeable about this as I would like to be.

anomie 07-14-2011 03:07 PM

Quote:

Originally Posted by Cultist
Is there any particular advantage to using separate ones instead of a single pair?

Of course - using separate keypairs means you aren't betting the entire farm on your ability to protect all devices that share the private key. Phones are easily lost or stolen, for instance.

An exception to this may be your PGP mail encryption. If you intend to use the same email identity (read: same keypair) on multiple workstations, you'll need to have it available on each of those.

Reuti 07-15-2011 06:29 AM

Quote:

Originally Posted by anomie (Post 4415022)
Of course - using separate keypairs means you aren't betting the entire farm on your ability to protect all devices that share the private key. Phones are easily lost or stolen, for instance.

An exception to this may be your PGP mail encryption. If you intend to use the same email identity (read: same keypair) on multiple workstations, you'll need to have it available on each of those.

I agree with that: one keypair per device and the private key should never leave the device. You just have a couple of entries in your ~/.ssh/authorized_keys but can also easily remove one if a device got stolen. And use a passphrase for the ssh-key maybe with an ssh-agent to make usage more handy.

I would really like if I could see in the public part of the keypair, whether an user used a passphrase or not. As an admin you don't know whether the user removed the passphrase, although you created the keypair with a passphrase during setup with them.


All times are GMT -5. The time now is 07:35 PM.