4b7eca8a46
All checks were successful
Reindex Knowledge Base / reindex (push) Successful in 3s
Adds title, description, type, domain, and tags frontmatter to every doc for improved KB semantic search. The description field is prepended to every search chunk, and domain/type/tags enable filtered queries. Type values: context, guide, runbook, reference, troubleshooting Domain values match directory structure (networking, docker, etc.) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
3.6 KiB
3.6 KiB
| title | description | type | domain | tags | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| SSH Key Management Patterns | Best practices for SSH key management in homelab environments including dual-key strategy, lifecycle management, network segmentation, backup, and recovery procedures. | guide | networking |
|
SSH Key Management for Home Labs
Overview
This document outlines best practices for managing SSH keys in home lab environments, focusing on security, reliability, and maintainability.
Core Principles
Dual-Key Strategy
- Primary keys: Daily use authentication
- Emergency keys: Backup access when primary keys fail
- Separate key pairs: Home network vs cloud servers
- Multiple authorized keys: Each server accepts both primary and emergency
Key Lifecycle Management
- Generation: 4096-bit RSA keys with descriptive comments
- Distribution: Automated deployment with
ssh-copy-id - Backup: Centralized storage on NAS with recovery documentation
- Rotation: Annual for primary keys, bi-annual for emergency keys
- Monitoring: Monthly health checks and access verification
Architecture Patterns
Network Segmentation
Home Network (10.10.0.0/24)
├── Primary: ~/.ssh/homelab_rsa
├── Emergency: ~/.ssh/emergency_homelab_rsa
└── Wildcard config for easy access
Cloud Servers (Public IPs)
├── Primary: ~/.ssh/cloud_servers_rsa
├── Emergency: ~/.ssh/emergency_cloud_rsa
└── Individual host configurations
Backup Strategy
NAS Storage: /mnt/NV2/ssh-keys/
├── backup-YYYYMMDD-HHMMSS/
│ ├── All key pairs (*.rsa, *.rsa.pub)
│ ├── SSH config
│ └── RECOVERY_INSTRUCTIONS.md
└── maintenance-YYYYMMDD-HHMMSS/
├── Current state backup
├── Key health report
└── MAINTENANCE_REPORT.md
Security Considerations
Authentication Methods
- Eliminate password authentication after key deployment
- Use key-based authentication exclusively
- Deploy multiple keys per server for redundancy
- Maintain console access as ultimate fallback
Access Control
- User-specific keys (avoid root when possible)
- Service-specific aliases for organized access
- Strict host key checking for unknown servers
- Accept-new policy for trusted home network
Key Protection
- Proper file permissions (600 for private keys)
- No passphrase for automation (home lab context)
- Regular backup verification
- Secure storage location on NAS
Maintenance Practices
Automated Monitoring
- Monthly maintenance script via cron
- Key health verification
- Connection testing
- Backup rotation (keep 10 most recent)
- Age-based rotation alerts
Recovery Procedures
- Emergency key deployment for immediate access
- NAS backup restoration for complete recovery
- Console access documentation for worst-case scenarios
- Provider web console access for cloud servers
Implementation Guidelines
- Start with key generation using standardized naming
- Deploy primary keys first and test thoroughly
- Add emergency keys to all servers
- Configure SSH client with aliases and settings
- Implement backup strategy with NAS storage
- Schedule maintenance automation
- Document recovery procedures
- Test emergency access regularly
Related Documentation
- Implementation:
examples/networking/ssh-homelab-setup.md - Troubleshooting:
reference/networking/ssh-troubleshooting.md - Security patterns:
patterns/networking/security.md