← back home

Securing Your Secrets: Expert Strategies for Private Key Storage

May 24, 2025
Private Keys Security Encryption Ssh Hsm Yubikey 1password Backup Secrets Management Age Gpg Tpm Cybersecurity
View original discussion on Hacker News

The question of how to securely store private keys is a perennial concern for developers and security-conscious individuals, as highlighted in a recent Ask HN discussion. The original poster, using AGE for encryption, expressed discomfort with plaintext keys in the home directory and the risk of loss due to hardware damage or theft, seeking a "proper tool."

The community responded with a wealth of suggestions, underscoring that while there might not be a single "standard" way, several robust approaches and tools exist, often best used in combination.

Hardware-Based Security: The Fort Knox for Your Keys

A prominent theme was the use of hardware to protect private keys, ensuring they are never exposed in plaintext on a general-purpose computer.

  • Hardware Security Modules (HSMs): Described as the "gold standard," HSMs are specialized devices designed to safeguard and manage digital keys. They perform cryptographic operations internally, meaning the private key material never leaves the HSM.
  • Yubikeys and Smartcards: For individuals, Yubikeys and other smartcards were frequently recommended as accessible HSM-like solutions. They can store SSH keys, GPG keys, and other credentials, requiring physical presence and often a PIN for use. One commenter shared a detailed guide on using Yubikeys for PIV and GPG.
  • Trusted Platform Modules (TPMs): Many modern computers come with a TPM, a dedicated chip that can store cryptographic keys securely. This was suggested as another hardware-based option.
  • USB Sticks: A simpler, "poor man's hardware token" approach involves storing encrypted keys on a USB stick. While less secure than dedicated hardware, it's an improvement over plaintext on a primary device.

Software and Cloud Solutions: Management and Convenience

Software tools, particularly password managers and dedicated secrets managers, offer robust solutions for encrypting, managing, and syncing keys.

  • 1Password: This was a popular recommendation, praised for its SSH agent integration, a CLI tool (op) that can inject secrets into environment variables (e.g., using op://vault/secret/key URIs in .env files), and secure cloud synchronization for backup and cross-device access.
  • KeePass: An open-source password manager, also suggested as a viable option for storing sensitive key material.
  • OpenBao (Vault): For more complex scenarios, especially in team or infrastructure settings, OpenBao (an open-source fork of HashiCorp Vault) was mentioned as a powerful secrets management system.

Encryption and Local Safeguards

Beyond specific tools, fundamental security practices were emphasized:

  • Direct Encryption: If keys are stored on disk, they must be encrypted (e.g., with a strong passphrase). The OP's use of AGE is an example of this.
  • Full Disk Encryption: Essential for protecting all data at rest, including any stored keys, should a laptop be lost or stolen.

Backup Strategies: Avoiding Irreversible Loss

Losing private keys can be catastrophic. Several backup methods were discussed:

  • Physical/Paper Backups:
    • The paperkey project was mentioned for backing up GPG keys onto paper. A similar approach could be used for other keys.
    • Even 1Password recommends printing an Emergency Kit. These physical backups should be stored in a secure location, like a safe.
    • Modern smartphone OCR capabilities make recovering data from paper backups feasible.
  • Digital Backups: Encrypted key files backed up to multiple locations, or leveraging the sync features of tools like 1Password.

Alternative Philosophies

An interesting perspective shared was the idea of "deleting your keys", which involves designing workflows that don't rely on long-lived private keys stored on user machines, possibly using short-lived certificates or other ephemeral access methods.

Conclusion

There's no one-size-fits-all answer to private key storage. The discussion highlights that a robust strategy often involves layers: strong encryption as a baseline, hardware tokens for sensitive keys, comprehensive backup plans, and potentially specialized software for management. The ideal approach depends on individual needs, threat models, and technical comfort levels.

Get the most insightful discussions and trending stories delivered to your inbox, every Wednesday.