Ask HN: How do you store private keys?

5 points by max_ 11 hours ago

It seems there is no standard proper way to store private keys.

I have been using AGE [0]

And I really don't like the idea of having the keys stored in the home directory in plain text.

There is also a risk of losing the keys if my laptop is damaged or gets stolen.

Is there a proper tool for storing encryption keys?

atmosx 7 hours ago

Paper. There’s a project called paperkey that allows you to store GPG keys on A4 paper. You could apply a similar approach to your age encrypted private keys or store them in plain text.

Modern smartphones have excellent OCR (optical character recognition) capabilities, so converting images of printed text back into digital form is now quite easy and reliable.

Personally, I use 1Password, and even they recommend printing out a PDF copy of your passwords and storing it in a secure location - like a physical vault. It’s a practical backup in case something happens and someone needs access to your credentials.

mos_6502 11 hours ago

> It seems there is no standard proper way to store private keys.

The gold standard for this would be a Hardware Security Module (HSM), which is essentially a device that stores private keys with certain guarantees of physical security (e.g, that private key material cannot be extracted from the device once it has been generated or placed there, and the device performs operations using the key material on behalf of some client).

HSMs in various forms underpin all sorts of cryptosystems that society depends on, because securing private key material at rest is essential. You'll find them everywhere from your debit/credit card, to certificate authorities, financial institutions, defense, and your smartphone.

For your use case, I'd recommend taking a look at Yubikeys. I did a writeup a while back on how to use them to store different types of private keys for various purposes:

https://blog.ctis.me/2022/12/yubikey-piv-gpg/

throwup238 10 hours ago

1Password with their SSH agent [1] for SSH keys, their CLI [2] for local secrets, and their terraform provider with service tokens for infrastructure keys/secrets. Yubikey for the secrets I’m most paranoid about.

You can essentially encrypt all environment variables, not just SSH keys, by aliasing your terminal commands to the 1password CLI. I have a “secrets” repo where all dotenv files are checked in with values like “op://vault-name/secret-name/key-name” that get injected by the op cli.

[1] https://developer.1password.com/docs/ssh/agent/

[2] https://developer.1password.com/docs/cli/get-started/

dale_huevo 11 hours ago

> And I really don't liek the idea of having the keys stored in the home directory in plain text.

so encrypt them.

or store them in a hardware token.

or on a USB stick (poor man's hardware token).

> There is also a risk of losing the keys if my laptop is damaged or gets stolen.

backups, full disk encryption.

  • max_ 11 hours ago

    Hi,

    Thanks for this reply. Could you recommend any good "hardware tokens"?

bonki 3 hours ago

keepass

znpy 11 hours ago

AFAIK you should also be able to store them on the TPM (trusted platform module) on your pc.

oulipo 11 hours ago

if you're referring to SSH keys, you can use something like 1Password which stores them encrypted and syncs them in the cloud, so you keep them even if you lose your laptop

stop50 11 hours ago

Smartcards + an printed backup in another location.