# SSH Key Management for Home Labs

## Overview

This document outlines best practices for managing SSH keys in home lab environments, focusing on security, reliability, and maintainability.

## Core Principles

### Dual-Key Strategy
- **Primary keys**: Daily use authentication
- **Emergency keys**: Backup access when primary keys fail
- **Separate key pairs**: Home network vs cloud servers
- **Multiple authorized keys**: Each server accepts both primary and emergency

### Key Lifecycle Management
- **Generation**: 4096-bit RSA keys with descriptive comments
- **Distribution**: Automated deployment with `ssh-copy-id`
- **Backup**: Centralized storage on NAS with recovery documentation
- **Rotation**: Annual for primary keys, bi-annual for emergency keys
- **Monitoring**: Monthly health checks and access verification

## Architecture Patterns

### Network Segmentation
```
Home Network (10.10.0.0/24)
├── Primary: ~/.ssh/homelab_rsa
├── Emergency: ~/.ssh/emergency_homelab_rsa
└── Wildcard config for easy access

Cloud Servers (Public IPs)
├── Primary: ~/.ssh/cloud_servers_rsa
├── Emergency: ~/.ssh/emergency_cloud_rsa
└── Individual host configurations
```

### Backup Strategy
```
NAS Storage: /mnt/NV2/ssh-keys/
├── backup-YYYYMMDD-HHMMSS/
│   ├── All key pairs (*.rsa, *.rsa.pub)
│   ├── SSH config
│   └── RECOVERY_INSTRUCTIONS.md
└── maintenance-YYYYMMDD-HHMMSS/
    ├── Current state backup
    ├── Key health report
    └── MAINTENANCE_REPORT.md
```

## Security Considerations

### Authentication Methods
- **Eliminate password authentication** after key deployment
- **Use key-based authentication** exclusively
- **Deploy multiple keys** per server for redundancy
- **Maintain console access** as ultimate fallback

### Access Control
- **User-specific keys** (avoid root when possible)
- **Service-specific aliases** for organized access
- **Strict host key checking** for unknown servers
- **Accept-new policy** for trusted home network

### Key Protection
- **Proper file permissions** (600 for private keys)
- **No passphrase** for automation (home lab context)
- **Regular backup verification**
- **Secure storage location** on NAS

## Maintenance Practices

### Automated Monitoring
- **Monthly maintenance script** via cron
- **Key health verification**
- **Connection testing**
- **Backup rotation** (keep 10 most recent)
- **Age-based rotation alerts**

### Recovery Procedures
- **Emergency key deployment** for immediate access
- **NAS backup restoration** for complete recovery
- **Console access documentation** for worst-case scenarios
- **Provider web console** access for cloud servers

## Implementation Guidelines

1. **Start with key generation** using standardized naming
2. **Deploy primary keys first** and test thoroughly
3. **Add emergency keys** to all servers
4. **Configure SSH client** with aliases and settings
5. **Implement backup strategy** with NAS storage
6. **Schedule maintenance automation**
7. **Document recovery procedures**
8. **Test emergency access regularly**

## Related Documentation

- Implementation: `examples/networking/ssh-homelab-setup.md`
- Troubleshooting: `reference/networking/ssh-troubleshooting.md`
- Security patterns: `patterns/networking/security.md`