Where to Securely Store Private SSH Key in Ubuntu

On an Ubuntu Linux client, your private SSH key must be stored securely to prevent unauthorized access to your remote servers. This article explains the standard directory location for saving your private SSH key, how to set the correct file permissions to keep it secure, and how to use the SSH agent for managed access.

The Standard Directory Path

On an Ubuntu client, the standard and most secure location to store your private SSH key is in the user’s home directory within a hidden folder named .ssh.

The absolute path is: /home/username/.ssh/

In the terminal, this is commonly represented as: ~/.ssh/

When you generate a new SSH key pair using the ssh-keygen command, the system automatically attempts to save the private key (such as id_ed25519 or id_rsa) and its corresponding public key (such as id_ed25519.pub or id_rsa.pub) directly into this folder.

Crucial File Permissions

The SSH client on Ubuntu will refuse to use a private key if the file permissions are too open. This is a built-in security measure to protect your key from being read by other local users. You must restrict access so only your user account can read the file.

Run the following commands in your terminal to set the correct permissions:

Restrict the .ssh directory: Only the owner should be able to read, write, and execute.
```
chmod 700 ~/.ssh
```
Restrict the private key: Only the owner should be able to read and write.
```
chmod 600 ~/.ssh/id_ed25519
```
(Replace id_ed25519 with the actual filename of your private key if it differs).
Set public key permissions: Public keys can be visible to others, but should only be writable by the owner.
```
chmod 644 ~/.ssh/id_ed25519.pub
```

Managing Keys with SSH Agent

For maximum security, you should protect your private SSH key with a strong passphrase during creation. To avoid typing this passphrase every time you initiate an SSH connection, you can load the key into the SSH Agent, which securely holds the decrypted key in your system’s memory.

Start the SSH agent in the background:

eval "$(ssh-agent -s)"

Add your private SSH key to the agent:

ssh-add ~/.ssh/id_ed25519

By storing your private key in ~/.ssh/, setting the permissions to 600, and using a passphrase with ssh-agent, you ensure your private SSH key remains secure on your Ubuntu client.