My first thing with SSH is to generate unique keys per machine which never leave that machine (except in backups encrypted with a backup key unique to that machine). If my mba13 gets jacked, I'll be able to revoke all mba13 ssh keys without locking out mbp17 or imac27 or iphone5 or ipad3 keys. This is related to the private keys on same machine" thing you mention.

However, the other reason for segmenting keys is to do agent forwarding.

I might have a CLIENTA key and then allow ssh auth forwarding from a bastion host at CLIENTA to other CLIENTA machines. I also have a CLIENTB key and allow ssh auth forwarding from a bastion host at CLIENTB to other CLIENTB machines. (or, prod/dev at the same company, or personal/work, or whatever).

I don't want anything CLIENTA does on a subverted bastion host or other host to be able to affect CLIENTB in any way.

I also keep some keys totally offline (to manage logging servers, which are normally read-only); ideally with some better way to do 2 party control as well.

> People forget that keypairs are not like passwords – if Github gets compromised, nobody can do anything with the public key you gave them.

Oh, I'm well aware of the difference between a public/private asymmetric encryption scheme and a symmetric one.

My concerns are more along the lines of my laptop/desktop being stolen, or my home being robbed and my backup disks/USB keys being taken, or even my computer being seized at the US border. There are ways to mitigate those concerns (e.g. full-disk encryption), but I'm very much a proponent of defence-in-depth whenever possible.

I should probably clarify that in the post itself, so that readers aren't misled as to the reasoning behind password-protecting your private keys.

I don't think I understand you here. Are you not keeping these different keys on the same machine?

At the time when I wrote this, I had three separate machines that I used regularly: personal laptop, work laptop, work desktop.

The arguments you've presented so far in favor of multiple keypairs on one computer (different keypairs for different remote services) make no sense.

Typical ssh usage is one keypair per account per machine (or one keypair per type, e.g. I have an rsa keypair and ecdsa keypaor). It doesn't matter if you use the same keypair for github and ec2 instances [1]. The only way for the key to be compromised is if your local machine is compromised. If the local machine is compromised, you can't trust any keys stored on it unless you know when it was compromised and you know you haven't entered the passphrase for some of the private keys since the compromise. More than likely, you won't know that, so you will have to treat all keys on the compromised machine as compromised. You'll have to regenerate and redistribute N keys instead of 1.

In your parent post, you identified physical theft as your main concern. Assuming you have a good passphrase, physical theft is a non-issue. Border crossing seizures and court proceedings are different; in some cases they can demand that you enter your passphrase(s), but multiple keypairs will not help you there.

[1] caveat: of course if you use unprompted authentication forwarding, this becomes an issue... a compromise at github for instance could allow the github hacker to ssh into your EC2 instances using forwarded credentials, but that's a time-limited attack and only works while you're connected to github. Private keys never leave the machine(s) they're hosted on.

You make some good points that are making me rethink my key-per-service approach. Though, other than the need to replace N keys when my machine(s) is compromised, there's not that much key management overhead.

But three keypairs (one for each machine) is still not "quite a few"... And if you had more than one per machine, can you clarify why?

> even my computer being seized at the US border

If your computer is seized at the US border, the security of your SSH keys is the last thing you need to be worrying about: http://xkcd.com/538/