I think we all agree it’s a good practice to regenerate your SSH key from time to time. Not sure about you, but the first thing that comes to my mind when I think about that is: it’d take forever to replace my key in all servers I need to access, all online services that use my key, etc.
Overcoming my laziness, I decided at least to list every place I’d have to update it. Interesting fact: it turned out that it was pretty much a small list:
Although now it looks more reasonable, I was still lazy to do it. Then, a few days ago, I noticed that Github recommends the use of HTTPS instead of SSH for Git repositories syncs:
What does one thing have to do with another? Well, by using
HTTPS, you don’t need to upload your SSH key to Github (check this out: mine isn’t longer at Github). BitBucket also supports it, which means I’d be able to regenerate my SSH key without having to upload it again to these services.
What’s left? Servers! From now on, every time I realise it’s time to regenerate my SSH key, all I need to update are the servers. I ended up making a list of servers that I’d need to update and found out in the end it wasn’t a big list and it’d be way easier than I thought it would.
Let’s face the truth: I had been using the same SSH key in the last 5 years or so and it’d be totally worth it to ensure my security as well as the security of the projects from the company I work for.
There’s more! This is the interesting part of this post: I’ve changed other things that made everything even safer:
- My new SSH key uses 4096 bits – recommended by Github – instead of the default (2048 bits).
- As I mentioned before, I’ve changed all my local repositories to use
SSH(see how in the end of this post).
- I’m now using a personal access token rather than my Github password (you can create it here), along with two-factor authentication, which I was already using.
- Cool, but would I need to type this token every time? Nope. There’s a nifty tool called
ssh-agentthat can save your token. If you’re using OS X, it’s even easier: Keychain can save and encrypt your token for you.
- My SSH key now has a passphrase, also saved encrypted in OS X’s Keychain, which means I don’t need to type it every time either.
HTTPS is faster!
According to some tests I made here,
HTTPS is faster than
# SSH $ time git clone email@example.com:rails/rails.git # 24.28s user 9.56s system 49% cpu 1:08.20 total
# HTTPS $ time git clone https://github.com/rails/rails.git # 13.52s user 6.41s system 39% cpu 50.730 total
In order to use HTTPS in my Git repos, do I need to re-clone every project?
Nope. Just edit the file
.git/config (within your project folder) and replace:
url = firstname.lastname@example.org:username/repo.git
url = https://github.com/username/repo.git
Regenerating your SSH key every now and then isn’t painful as you think it is. I’d recommend doing it every 3 years or even less if you’re paranoic or you work on something critic.