Ask HN: How do you store private keys?

It seems there is no standard proper way to store private keys.

I have been using AGE [0]

And I really don't like the idea of having the keys stored in the home directory in plain text.

There is also a risk of losing the keys if my laptop is damaged or gets stolen.

Is there a proper tool for storing encryption keys?

5 points | by max_ 14 hours ago

9 comments

  • mos_6502 14 hours ago
    > It seems there is no standard proper way to store private keys.

    The gold standard for this would be a Hardware Security Module (HSM), which is essentially a device that stores private keys with certain guarantees of physical security (e.g, that private key material cannot be extracted from the device once it has been generated or placed there, and the device performs operations using the key material on behalf of some client).

    HSMs in various forms underpin all sorts of cryptosystems that society depends on, because securing private key material at rest is essential. You'll find them everywhere from your debit/credit card, to certificate authorities, financial institutions, defense, and your smartphone.

    For your use case, I'd recommend taking a look at Yubikeys. I did a writeup a while back on how to use them to store different types of private keys for various purposes:

    https://blog.ctis.me/2022/12/yubikey-piv-gpg/

  • throwup238 13 hours ago
    1Password with their SSH agent [1] for SSH keys, their CLI [2] for local secrets, and their terraform provider with service tokens for infrastructure keys/secrets. Yubikey for the secrets I’m most paranoid about.

    You can essentially encrypt all environment variables, not just SSH keys, by aliasing your terminal commands to the 1password CLI. I have a “secrets” repo where all dotenv files are checked in with values like “op://vault-name/secret-name/key-name” that get injected by the op cli.

    [1] https://developer.1password.com/docs/ssh/agent/

    [2] https://developer.1password.com/docs/cli/get-started/

  • atmosx 10 hours ago
    Paper. There’s a project called paperkey that allows you to store GPG keys on A4 paper. You could apply a similar approach to your age encrypted private keys or store them in plain text.

    Modern smartphones have excellent OCR (optical character recognition) capabilities, so converting images of printed text back into digital form is now quite easy and reliable.

    Personally, I use 1Password, and even they recommend printing out a PDF copy of your passwords and storing it in a secure location - like a physical vault. It’s a practical backup in case something happens and someone needs access to your credentials.

  • dale_huevo 14 hours ago
    > And I really don't liek the idea of having the keys stored in the home directory in plain text.

    so encrypt them.

    or store them in a hardware token.

    or on a USB stick (poor man's hardware token).

    > There is also a risk of losing the keys if my laptop is damaged or gets stolen.

    backups, full disk encryption.

    [-]
    • max_ 14 hours ago
      Hi,

      Thanks for this reply. Could you recommend any good "hardware tokens"?

      [-]
  • toomuchtodo 12 hours ago
    https://openbao.org/
  • bonki 6 hours ago
    keepass
  • znpy 13 hours ago
    AFAIK you should also be able to store them on the TPM (trusted platform module) on your pc.
  • oulipo 14 hours ago
    if you're referring to SSH keys, you can use something like 1Password which stores them encrypted and syncs them in the cloud, so you keep them even if you lose your laptop
  • stop50 14 hours ago
    Smartcards + an printed backup in another location.