Key Management
Master advanced SSH key management—from deploying keys to servers to rotating keys across your infrastructure.
Deploy Keys to Servers
Automatic Deployment
One-click deploy:
Keychain → Right-click key → Deploy to Server
Select Target:
[production.example.com ▼]
User:
[deploy ]
Auth (one-time):
● Password
○ Existing SSH key
Password:
[••••••••••]
[✓] Test after deployment
[✓] Update host to use this key
[Deploy]
What happens:
- Connects with password/existing key
- Creates ~/.ssh (if needed)
- Appends public key to authorized_keys
- Sets permissions (700, 600)
- Tests new key
- Updates host config
Manual Deployment
Copy-paste method:
1. Copy public key:
Keychain → Click key → Copy Public Key
2. SSH to server:
ssh user@server
3. Add key:
mkdir -p ~/.ssh
nano ~/.ssh/authorized_keys
[Paste public key]
4. Set permissions:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
5. Test:
Exit and reconnect
Should work without password
Multi-Server Deployment
Deploy to Multiple Hosts
Batch deployment:
Select multiple hosts:
[✓] production-01
[✓] production-02
[✓] staging-01
Right-click → Deploy SSH Key
Select Key:
[Work - Production Key ▼]
Auth:
● Use saved passwords
○ Enter password for each
○ Use jump host
[Deploy to 3 hosts]
Progress:
Deploying to 3 hosts...
✓ production-01: Success
✓ production-02: Success
✗ staging-01: Failed (auth error)
2/3 successful
[View Report] [Retry Failed]
Key Rotation
Why Rotate Keys?
Security reasons:
Rotate keys when:
- Employee leaves
- Key potentially exposed
- Regular schedule (6-12 months)
- Device lost/stolen
- Security audit requirement
- Best practice maintenance
Rotation Workflow
Step 1: Generate New Key
Keychain → Generate New Key
Name: Work - Production 2024
Type: ED25519
Passphrase: Yes
[Generate]
Step 2: Deploy New Key
Deploy to all servers:
[✓] production-01
[✓] production-02
[✓] staging-01
...
Keep old key active
Both keys work now
Step 3: Update Hosts
For each host:
Edit Host → Authentication
Old key → New key
Save
Test connections
Step 4: Remove Old Key
After testing (1 week):
On servers:
nano ~/.ssh/authorized_keys
Remove old key line
Save
In Xermius:
Delete old key from keychain
Rotation schedule:
Low security:
Every 12 months
Normal security:
Every 6 months
High security:
Every 3 months
Critical:
Every month or per-project
Key Organization
Naming Convention
Best practices:
Pattern: [Purpose] - [Device/User] - [Year]
Examples:
✓ "Work - MacBook - 2024"
✓ "Personal - john@example.com"
✓ "GitHub - Deploy Key"
✓ "Client XYZ - Production"
✓ "Automation - CI/CD"
Bad:
✗ "Key 1"
✗ "New key"
✗ "Untitled"
Categorization
By purpose:
Work Keys:
- Work - Production
- Work - Staging
- Work - Development
Personal Keys:
- Personal - Projects
- Personal - VPS
Service Keys:
- GitHub - Main
- GitLab - Repos
- AWS - EC2
Comments
Add context:
Key Comment Field:
[john@macbook-pro-2024]
Include:
- Email
- Device
- Year
- Department
Example:
john.doe@company.com MacBook 2024 DevOps
Advanced Deployment
Jump Host Deployment
Through bastion:
Deploy Key via Jump Host:
Jump Host:
[bastion.example.com ]
Jump User:
[admin ]
Jump Auth:
[Bastion Key ▼]
Target Hosts:
[✓] internal-01
[✓] internal-02
[Deploy]
Flow:
Your Computer
↓
Bastion/Jump Host
↓
Internal Server 1
Internal Server 2
Ansible Integration
Export for Ansible:
Keychain → Export for Ansible
Format: Ansible Vault
Vault Password:
[••••••••••]
Output:
ansible_ssh_private_key_file:
!vault |
$ANSIBLE_VAULT;1.1;AES256
66386439653965...
[Copy] [Save to File]
Terraform/IaC
Export for Terraform:
Export → Terraform Format
Generates:
resource "aws_key_pair" "deployer" {
key_name = "work-production-2024"
public_key = "ssh-ed25519 AAAAC3..."
}
[Copy to Clipboard]
Key Lifecycle
Track Usage
Usage statistics:
Key: Work - Production
Created: Jan 1, 2024
Last Used: 2 hours ago
Total Uses: 1,247
Used By Hosts:
- production-01 (654 times)
- production-02 (412 times)
- staging-01 (181 times)
[View Details]
Audit Trail
Track key events:
Key History: Work - Production
Jan 17, 10:45 Used for connection
Jan 17, 09:30 Deployed to prod-03
Jan 15, 14:20 Exported (public only)
Jan 12, 11:00 Password changed
Jan 1, 09:00 Key created
[Export Audit Log]
Expiration
Set expiration:
Key Expiration:
[ ] Enable expiration
Expires on:
[Jun 30, 2024 📅]
Action on expiry:
● Disable key
○ Delete key
○ Notify only
[✓] Notify 30 days before
[✓] Notify 7 days before
[Save]
Backup & Recovery
Export Keys
Backup all keys:
Keychain → Export All Keys
What to export:
[✓] All private keys
[✓] All public keys
[✓] Key metadata
Format:
● Encrypted archive
○ Individual files
Encryption:
Strong encryption enabled
Password required
Archive Password:
[••••••••••]
Confirm:
[••••••••••]
Location:
[Choose...] ~/Backups/ssh-keys-2024-01-17.enc
[Export]
Secure Storage
Backup locations:
Recommended:
✓ Encrypted external drive
✓ Password manager vault
✓ Offline storage
✓ Safe deposit box (important keys)
NOT recommended:
✗ Cloud storage (unencrypted)
✗ Email
✗ USB drive (unencrypted)
✗ Dropbox/Google Drive (unencrypted)
Import Backup
Restore keys:
Keychain → Import → From Backup
Backup File:
[Choose...] ssh-keys-backup.enc
Archive Password:
[••••••••••]
Select Keys to Import:
[✓] Work - Production
[✓] Personal - Projects
[ ] Old - Deprecated
[✓] Skip existing keys
[Import Selected]
Security Features
Key Encryption
At-rest encryption:
All keys encrypted:
Algorithm: AES-256-GCM
Key: Derived from master password
Salt: Unique per key
Even if database stolen:
Cannot decrypt without password
Access Control
Require authentication:
Key Access:
[✓] Require password to use keys
[✓] Require password to export
[✓] Require password to delete
Timeout:
Auto-lock after: [15] minutes
[Save]
Key Hardening
Additional security:
Advanced Security:
[✓] Encrypt private keys
[✓] Require passphrase for important keys
[✓] Enable key expiration
[✓] Log all key operations
[ ] Require 2FA for key export
[Save]
Compliance
Audit Logging
Enable logging:
Compliance → Audit Logging
Log Events:
[✓] Key generation
[✓] Key import/export
[✓] Key usage
[✓] Key deployment
[✓] Key deletion
Retention:
Keep logs for: [365] days
Export:
[Export Compliance Report]
Reports
Generate reports:
Reports → Key Inventory
Filter:
Created: Last 30 days
Type: All
Used: Any
Generate:
● CSV
○ PDF
○ JSON
Includes:
- Key names
- Types
- Creation dates
- Last used
- Deployed to (hosts)
- Expiration
[Generate Report]
Best Practices
1. One Key Per Purpose
Don't:
✗ Use same key for everything
Do:
✓ Work servers → Work key
✓ Personal projects → Personal key
✓ GitHub → GitHub key
✓ Client A → Client A key
2. Regular Rotation
Schedule:
□ Personal: Every 12 months
□ Work: Every 6 months
□ Critical: Every 3 months
Set reminders!
Automate if possible
3. Backup Regularly
Weekly: Export keychain
Monthly: Verify backups
Yearly: Test restore
Store securely:
- Encrypted backup
- Offline location
- Multiple copies
4. Document Keys
For each key, document:
- Purpose
- Servers using it
- Owner/contact
- Expiration
- Rotation schedule
Use Comments field!
5. Clean Up
Quarterly review:
□ Delete unused keys
□ Remove from unused servers
□ Update documentation
□ Archive old keys
Keep keychain lean!
Troubleshooting
Key Won't Deploy
Check:
1. Server accessible?
ping server
2. Password correct?
Test manual SSH
3. Permissions?
Server must allow key auth
4. ~/.ssh writable?
Check disk space, permissions
5. SELinux/AppArmor?
May block SSH key write
Permission Denied After Deploy
Fix:
On server:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
chown user:user ~/.ssh -R
Verify owner matches SSH user
Key Already Exists
Resolution:
Key Already on Server?
Options:
○ Skip (keep existing)
● Append (add both)
○ Replace (overwrite)
[Proceed]
Next Steps
- 🔑 SSH Keys - Generate keys
- 🔐 Authentication Methods - All auth options
- 🛡️ Security - Security settings
- 📘 Hosts - Configure hosts