I have been using AGE [0]
And I really don't like the idea of having the keys stored in the home directory in plain text.
There is also a risk of losing the keys if my laptop is damaged or gets stolen.
Is there a proper tool for storing encryption keys?
You can essentially encrypt all environment variables, not just SSH keys, by aliasing your terminal commands to the 1password CLI. I have a “secrets” repo where all dotenv files are checked in with values like “op://vault-name/secret-name/key-name” that get injected by the op cli.
[1] https://developer.1password.com/docs/ssh/agent/
[2] https://developer.1password.com/docs/cli/get-started/
The gold standard for this would be a Hardware Security Module (HSM), which is essentially a device that stores private keys with certain guarantees of physical security (e.g, that private key material cannot be extracted from the device once it has been generated or placed there, and the device performs operations using the key material on behalf of some client).
HSMs in various forms underpin all sorts of cryptosystems that society depends on, because securing private key material at rest is essential. You'll find them everywhere from your debit/credit card, to certificate authorities, financial institutions, defense, and your smartphone.
For your use case, I'd recommend taking a look at Yubikeys. I did a writeup a while back on how to use them to store different types of private keys for various purposes:
https://blog.ctis.me/2022/12/yubikey-piv-gpg/
so encrypt them.
or store them in a hardware token.
or on a USB stick (poor man's hardware token).
> There is also a risk of losing the keys if my laptop is damaged or gets stolen.
backups, full disk encryption.
Thanks for this reply. Could you recommend any good "hardware tokens"?
Modern smartphones have excellent OCR (optical character recognition) capabilities, so converting images of printed text back into digital form is now quite easy and reliable.
Personally, I use 1Password, and even they recommend printing out a PDF copy of your passwords and storing it in a secure location - like a physical vault. It’s a practical backup in case something happens and someone needs access to your credentials.
Your soon-to-be ex-wife will try to get her hands to all these passwords because: 1) she 'will prove' by reading all your emails that you <verb of doing something wrong>, 2) she 'will prove' that you hide money/assets/etc. (because why do you have an account on Bank/Broker XYZ and never told her?), 3) why did you buy flowers from "BuyYourWomanFlowers.com" 4) use your imagination for worse.. anything that can be used against you, will be used against you.
https://blog.imcotton.xyz/my-ssh-folder-has-no-private-keys