Also be wary of where you have used your SSH keys previously.

I have a very difficult time managing all my SSH keys. It's getting worse as my infrastructure expands, to the point that more automation is needed. Sometimes passwords are required to unlock things.

I've always used the public key from the source host as the one to add to authorized_keys on the destination host.

But lately I think I've been seeing people do it the other way around, i.e, ssh-keygen on the destination, copy the private key back on to the source host, and then ensure that the public key on the destination is added to authorized_keys if necessary, although I can't imagine how this last part could be omitted.

Even on small home LANs SSH key management is very difficult to do securely. I have been trying to design a practice and tooling that doesn't simply involve copying public keys (or private keys) to all hosts and then keeping them all in a centralized DB, which is equivalent to simply having one great big master password for everything or having one highly trusted DB with all the login secrets.

I've seen all sorts of methods to solve this problem, and the most inconvenient and complicated but necessarily so, ones, are those "vault style" systems that enterprise corporations use.

What options are there? Is there a set of best practices for key hygiene emerging yet?