When using Git or SSH copy / remote login, etc, should we re-use the same SSH keys or create new ones every time?

Question

With the increasing use of Git or SSH copying or login, we can use just 1 pair of public and private key, or we probably can create different pairs on different machines, such as 1 for the notebook and 1 for the desktop, and 1 for the Virtual Machine.

Should we use 1 pair or should we use multiple pairs?

If we use just 1 pair, then we need to copy the 2 files (public and private) over to other machines, and we need to make sure we don't do it by FTP, or else that info may leak out to the public?

Even if we use SFTP, we need to set up the server on the machines where we want to transfer from/to... or is there a better method?

In general, do most programs and system allow the users to have multiple SSH keys? For example, when we use a GitHub account, or Heroku, do the systems have a convention that they allow a user to use multiple SSH keys to identify the same person?

I think if we use multiple keys, there might be a slight issue that if we create such keys on Ubuntu 10.04, and then install Ubuntu 10.10 later and create new keys, then very soon, we may have keys that we don't know where they are from, such as a pair that was from Ubuntu 8.04 and we didn't know about it.

Answer 1

The rules for SSH keys are simple:

• Generate a new public/private key pair for every machine you intend to authenticate.
• Never copy a private key on to another machine, neither by network nor removable media nor any other method you can think of.
• Never share a password or passphrase with anyone, and never write them down.
• If you suspect a key has been compromised, generate a new one. The only cost is updating services that have the public key.