Private Key Management: One vs Many

TL;DR

Using a single private key for multiple domains is risky. It’s better to use separate keys for each domain or service, even if it’s more work. This limits the damage if one key gets compromised.

Understanding the Risks

Your private key is like your master password. If someone steals it, they can pretend to be you everywhere you use that key. This applies to SSH keys, TLS/SSL certificates, code signing keys, and more.

Why One Key Is a Bad Idea

• Compromise = Total Loss: If your single private key is compromised, an attacker gains access to *all* the services and domains associated with it.
• Revocation Headache: Revoking a single key affects everything. You’ll need to update certificates, reconfigure servers, and potentially rebuild trust across many systems.
• Auditing Difficulties: It’s harder to track who accessed what when all activity is tied to one key.

Why Multiple Keys Are Better

Using separate private keys for each domain or service significantly improves your cyber security posture.

• Limited Blast Radius: If a key is compromised, only the associated service/domain is affected.
• Easier Revocation: You can revoke a specific key without impacting other services.
• Improved Auditing: Each key’s usage can be tracked independently.

Step-by-Step Guide to Multiple Key Management

1. Generate Keys Per Domain/Service: Use a secure method like OpenSSH or a Hardware Security Module (HSM).

   ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_example.com

   This creates a new key specifically for example.com. Repeat for each domain/service.

2. Store Keys Securely: Never store private keys in plain text. Use SSH agents, password managers with secure storage, or HSMs.
   For example, using ssh-agent:

   ssh-add ~/.ssh/id_rsa_example.com

3. Configure Services: Update your server configurations to use the correct private key for each domain/service. This usually involves modifying configuration files (e.g., Apache, Nginx, SSH daemon).
4. Automate Key Rotation: Regularly rotate keys (e.g., every 90-180 days) to minimize the impact of a potential compromise. Tools like Let’s Encrypt can automate certificate renewal and key rotation for TLS/SSL certificates.
5. Monitor Key Usage: Implement logging and monitoring to detect any unauthorized use of your private keys.

Specific Scenarios

• SSH Access: Use a unique SSH key pair for each server you access.
• TLS/SSL Certificates: Obtain separate certificates (and associated private keys) for each domain or subdomain.
• Code Signing: Use different code signing keys for different projects or repositories.

Tools to Help

• OpenSSH: For generating and managing SSH keys.
• Let’s Encrypt: For free TLS/SSL certificates with automated renewal.
• Hardware Security Modules (HSMs): For highly secure key storage.