ssh keys management question

Latest response

So I'm tearing down an old RHEL VM.

From this VM I generated ssh keys for a users that is uses for vuln scanning (ACAS Scanner). In order to scan correctly, it logs in via ssh keys.

I'm not familiar with ssh key management. In this case would it be creating a new VM, create the user account again and re-generate ssh keys and copy those keys to all VMs?



Hi Christopher,

Not sure if I understand it correctly, but there's no need to re-create ssh keys every once you create a new VM.
Just create a new key pair, and copy the ssh keys to a destination that you can access from within the new VM.

If you are using KVM virtualization, you can alternatively copy them into the VM by using the libguestfs-tools.
Another option would be to import (instead of copying) the existing key from within the (running) new VM. :)


Hello Christopher,
I'm not sure if I got you right. I understand that you have created one or several ssh key pairs on this VM you are going to tear down, now. The public key was distributed to some other hosts and used for vulnerability scanning, right?

In this case you could take the private key from the VM and import it to the new VM. You would find it usually in ~/.ssh/ of the user where you created the key pair in the first place.

There is no need to replace all the keys, unless you private key was compromised.

Best regards,

Your correct. Sorry I couldn't explain it better.

No, the private ssh key was not compromised. Just ripping and replacing a RHEL VM.

Sounds like I can grab the private key, and import it into the new server. How does this take into account the public key?


Hi Christopher,
I'll try to explain by giving an example.

I guess you created the ssh key pair like in the following code example:

[jkastning@rhel-dev ~]$ mkdir ssh-test
[jkastning@rhel-dev ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/jkastning/.ssh/id_rsa): /home/jkastning/ssh-test/id_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/jkastning/ssh-test/id_rsa.
Your public key has been saved in /home/jkastning/ssh-test/
The key fingerprint is:
SHA256:tJCyraI1ZuQxNVjMiVGQwWFrnR/axjTO/5toW+yxjTQ jkastning@rhel-dev.local
The key's randomart image is:
+---[RSA 2048]----+
| .*@o.           |
| .+=+. .         |
|  + * * .        |
| . . & = .       |
|  + o O S        |
| o o o . .       |
|  B .   . E      |
| = o    .* B     |
|.      .o.B..    |
[jkastning@rhel-dev ~]$ ll ssh-test/
total 8
-rw-------. 1 jkastning jkastning 1675 Jun 11 19:49 id_rsa
-rw-r--r--. 1 jkastning jkastning  406 Jun 11 19:49
[jkastning@rhel-dev ~]$

In the example above the ssh key pair was saved in the directory ssh-test which includes two files, now. is the public key which usually would be distributed to other hosts where you want to authenticate yourself using this key per.

The file id_rsa on the other and is the private key of the ssh pair. This is the part of the key you should save by exporting it to another machine before you tear down the VM. You could use scp or a similar command to do so. Then you can copy this file to the new VM. Place it in the same directory as it was on the old VM. Then you should be able to use it again to authenticate to your target hosts.

Best regards, Joerg

Just a small addition to Joerg's excellent answer: It's better to save both the private key file (id_rsa ) and the public key file (; some SSH encryption methods also need the public key file being present on the SSH client host. Although the public key can usually be reconstructed using the private key file if needed (ssh-keygen -y -f id_rsa >, or retrieved from any of the hosts it been previously added to, that's an additional step that can be easily avoided by just grabbing both files from the old server in the first place.