Best practices for placement of SSH / GPG keys?

First I want to commend the work on the Ubuntu Core desktop, I built an image from the repository and it largely just works! I have chosen to be a bit adventurous and I’m currently using Ubuntu Core Desktop on metal as my main workstation.

I really like the security posture of an immutable system base, and I’m now wondering for how to best protect my personal authentication material such as SSH and GPG keys.

Are they best kept in the home directory on the main Ubuntu Core Desktop host, protected from installed software through confinement, or would it be best to keep them in a “bastion”-like LXD container?

Hi @fnordahl and good day to you and lovely to hear you are enjoying Ubuntu Core (it is definitely something I would like to try and I have heard great success from others using it from the GitHub repo).

I personally would do it via Snap Confinement, especially after reading this excellent blog by Popey and that the majority of Snaps are in Strict Confinement anyway and you would still have easy access to your SSH keys.