Encrypt your SSH keys
Recently, a popular Python package was compromised and malicious code was injected1. One of the things it did was upload $HOME/.ssh/*
to a remote server. This isn't great, but if your keys are encrypted the situation is much better.
To encrypt your SSH key, use:
ssh-keygen -p -f ~/.ssh/id_rsa
If the encrypted private key is stolen, an attacker needs to brute-force (guess) your password to use it.
To be more resistant to brute force-attacks, specify -a <number>
to set the number of rounds used. The default is 16
.
ssh-keygen -p -a 500 -f ~/.ssh/id_rsa
A higher number results in increased resistance to brute-force attacks, but also slower password verification. Use SSH agent and you only need to enter the password once per boot, and the increased password verification time won't bother you.