Passwordless SSH servers - what backup plan?

August 3, 2018 255 views
Backups Security Ubuntu 16.04 Ubuntu 18.04

So in general I have been creating droplets without passwords and adding my macbook ssh key as the only way yo access them. All has been going fine so far but I just have a few questions:

  1. If my macbook were to set on fire, my ssh key is gone. I then can't access the servers. I can't use the DO consoles either since I have no password in order to add a new SSH key. Is it normal to backup my ssh key pair files to an external drive/host and then would I simply buy a new macbook and stick those in the .ssh directory and continue on as normal?

  2. If the above is not the way to go, how could I regain access to my servers again to add my new mac ssh key?

  3. I still have my old mac, but bought a new one the other day (hence why this has came to mind). I have been sending my public key to my old mac and then using my old mac to access each server one by one and adding my new ssh key. Is this the best method? Or should I have just copied my old ssh key pair to the new mac and let both computers share?

1 Answer

Hello friend!

I think you will find that preference is really the key to this part for most people. I always tell people that security and convenience, as well as recovery effort in relation to that, should always be relative to the value of what is behind it. I'll give a mildly humorous example just to highlight extremes on either side of it:

Too little security is Facebook messaging your private key to your best friend for backup, for a server that houses personal information about 100,000 of your customers. Too much security is hiring a team of guards to protect a flash drive with your private key on it, for a server that houses a blog you haven't gotten around to writing on yet.

That's going to the extreme on either side to highlight that the best practice really is somewhat relative. If you reversed the two, it almost wouldn't seem crazy anymore. You have to decide for the value of your situation what is going to be the proper amount of security and convenience for your needs. Maybe that's storing a flash drive in a lock box somewhere, maybe just that external drive. Maybe it's having a key for every machine or sharing one between your machines (though bonus of multiple is that you can kill one key if a machine is stolen).

I know that wasn't terribly informative but I think you already have a great mind for this and you are already thinking on the right path. I believe that you will make the best decisions for your situation on this :)

Kind Regards,
Jarland

  • Ok, lets assume I have access to all my droplets using my single id_rsa key on my laptop and there is no other way of accessing them. If I were to copy the pub and private key pair to an external hdd and kept it in a safe off site, then my laptop explodes....can I buy a new laptop, stick those 2 key files on it and then continue accessing my droplets as normal?

    That's the main question really as it would seem that at present if my laptop drive failed my droplets would be inaccessible completely. i.e. I couldn't access them even to put a new ssh key on them, which is worrying.

    • Good morning! Or afternoon, evening, something along those lines :)

      What you describe would work just like that. Copy your private key to connect, copy your public key to keep it handy for adding to new servers, you can drag those around to any machine.

      Kind Regards,
      Jarland

Have another answer? Share your knowledge.