SSH Keys
SSH key management and certificate workflows for the domus infrastructure.
Key Generation
Generate ed25519 key — modern default
ssh-keygen -t ed25519 -C "evan@domusdigitalis.dev" -f ~/.ssh/id_ed25519Generate RSA key — when legacy systems require it
ssh-keygen -t rsa -b 4096 -C "evan@domusdigitalis.dev" -f ~/.ssh/id_rsa_legacyAutomation key — no passphrase, restrict in authorized_keys
ssh-keygen -t ed25519 -C "automation@domusdigitalis.dev" -f ~/.ssh/id_automation -N ""Agent Management
Start the agent and add your key
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519List loaded keys
ssh-add -lAdd key with lifetime — auto-expires after 4 hours
ssh-add -t 4h ~/.ssh/id_ed25519Remove all keys from agent
ssh-add -DKey Fingerprints
Show fingerprint of a public key
ssh-keygen -lf ~/.ssh/id_ed25519.pubVerify a remote host fingerprint before first connect
ssh-keygen -lf <(ssh-keyscan -t ed25519 remote-host 2>/dev/null)Authorized Keys
Copy public key to remote host
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@remote-hostRestrict a key — forced command, IP restriction, no shell
command="/usr/local/bin/backup-only.sh",from="10.50.1.0/24",no-pty,no-port-forwarding ssh-ed25519 AAAA... automation@domusdigitalis.dev
SSH Certificates via Vault
Short-lived certificates replace static key trust. Users authenticate to Vault, receive a signed cert.
Sign key via Vault SSH engine
vault write -field=signed_key ssh/sign/admin \
public_key=@$HOME/.ssh/id_ed25519.pub > ~/.ssh/id_ed25519-cert.pubInspect the certificate — verify principals, validity
ssh-keygen -Lf ~/.ssh/id_ed25519-cert.pubEncrypted Config Workflow
The SSH config is gitignored in plaintext. Only the age-encrypted version is committed.
Encrypt after editing
age -e -R ~/.age/recipients/self.txt -o ssh/.ssh/config.age ssh/.ssh/configDecrypt on new machine
age -d -i ~/.age/identities/personal.key ssh/.ssh/config.age > ssh/.ssh/config
chmod 600 ssh/.ssh/configFormat Conversion
Convert OpenSSH to PEM format — needed for some tools
ssh-keygen -p -m PEM -f ~/.ssh/id_rsa_legacyExtract public key from private key
ssh-keygen -yf ~/.ssh/id_ed25519 > recovered.pubPermissions
Fix permissions in one pass — SSH refuses keys with wrong permissions
chmod 700 ~/.ssh && chmod 600 ~/.ssh/id_* ~/.ssh/authorized_keys 2>/dev/null && chmod 644 ~/.ssh/*.pub 2>/dev/nullTroubleshooting
Debug SSH connection — shows key negotiation
ssh -vvv user@remote-host 2>&1 | grep -E "Offering|Accepted|debug1: identity"