> It seems there is no standard proper way to store private keys.
The gold standard for this would be a Hardware Security Module (HSM), which is essentially a device that stores private keys with certain guarantees of physical security (e.g, that private key material cannot be extracted from the device once it has been generated or placed there, and the device performs operations using the key material on behalf of some client).
HSMs in various forms underpin all sorts of cryptosystems that society depends on, because securing private key material at rest is essential. You'll find them everywhere from your debit/credit card, to certificate authorities, financial institutions, defense, and your smartphone.
For your use case, I'd recommend taking a look at Yubikeys. I did a writeup a while back on how to use them to store different types of private keys for various purposes:
https://blog.ctis.me/2022/12/yubikey-piv-gpg/
1Password with their SSH agent [1] for SSH keys, their CLI [2] for local secrets, and their terraform provider with service tokens for infrastructure keys/secrets. Yubikey for the secrets I’m most paranoid about.
You can essentially encrypt all environment variables, not just SSH keys, by aliasing your terminal commands to the 1password CLI. I have a “secrets” repo where all dotenv files are checked in with values like “op://vault-name/secret-name/key-name” that get injected by the op cli.
[1] https://developer.1password.com/docs/ssh/agent/
[2] https://developer.1password.com/docs/cli/get-started/
Paper. There’s a project called paperkey that allows you to store GPG keys on A4 paper. You could apply a similar approach to your age encrypted private keys or store them in plain text.
Modern smartphones have excellent OCR (optical character recognition) capabilities, so converting images of printed text back into digital form is now quite easy and reliable.
Personally, I use 1Password, and even they recommend printing out a PDF copy of your passwords and storing it in a secure location - like a physical vault. It’s a practical backup in case something happens and someone needs access to your credentials.
> And I really don't liek the idea of having the keys stored in the home directory in plain text.
so encrypt them.
or store them in a hardware token.
or on a USB stick (poor man's hardware token).
> There is also a risk of losing the keys if my laptop is damaged or gets stolen.
backups, full disk encryption.
Hi,
Thanks for this reply. Could you recommend any good "hardware tokens"?
AFAIK you should also be able to store them on the TPM (trusted platform module) on your pc.
if you're referring to SSH keys, you can use something like 1Password which stores them encrypted and syncs them in the cloud, so you keep them even if you lose your laptop
Smartcards + an printed backup in another location.