9

Now that OpenSSH supports Elliptic curve security keys (since version 8.2), it's possible to generate a ed25519-sk key on a hardware security key:

$ ssh-keygen -t ed25519-sk -C comment

This generates a public and a private key parts. How sensitive is the private part that goes into file ~/.ssh/id_ed25519_sk?

As it seems it's required for the ability to use the security key on another machine, so I assume it's necessary to distribute it to all client machines usable with the key or store on some removable medium. Does it pose a security risk, or is the private file simply useless without the hardware key?

And somewhat related question: Does this process overwrite the key stored on the hardware, that is, is it possible to have only one such SSH key for each hardware key?

Improve this question

1 Answer 1

Reset to default
2

From the "FIDO/U2F Support" section in OpenSSH 8.2 Release Notes

The private key file should be useless to an attacker who does not have access to the physical token.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .