this post was submitted on 21 Dec 2025
40 points (100.0% liked)

Selfhosted

53808 readers
256 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
40
What is the best trategie to refresh ssh keys? (feddit.org)
submitted 20 hours ago by ratatouille@feddit.org to c/selfhosted@lemmy.world
10 comments fedilink hide all child comments
 

My ssh keys are oldMany times I had the Idea to replace them and cleanup. Put the approach feels old not intuitive and i'm affraid of problems.

How do you manage keys and get sure they do ot get to old.

you are viewing a single comment's thread
view the rest of the comments
[–] just_another_person@lemmy.world 1 points 18 hours ago

This generally referred to as Key Rotation. It applies to everything from SSH keys, to API keys in running apps.

There are automated ways to do this with ease, but it's very simple to do with a single script, and some sort of secure key/value store (bitwarden, Vault, etcd...whatever).

The process is basically something like:

  1. Create a script that runs on cron to check for a key at your k/v store at an expected location, like /ssh_keys/host1-private-12.1.25 and /ssh_keys/host1-public-12.1.25
  2. Deploy this script to all machines you wish to regularly rotate keys on and ensure running properly
  3. Generate new keys and put them in your k/v store at some versioned location/path like /ssh_keys/host1-private-12.21.25 and /ssh_keys/host1-pub-12.21.25
  4. Update your local script that regularly grabs these updated keys to point to the new version uploaded, bonus if your store can symlinkto some other locations like /ssh_keys/host1-private-current
  5. Wait X period of time to ensure all hosts get whatever key they need

Your script can clear the old keys if needed but simply validating them in the access change serves the same effect. Up to you.