I'm asking about best practices relating to key generation, use, and management.
On a few occasions, and for various reasons, I've created SSH and GnuPG keys while logged in over SSH to a remote multi-user server at work (and to my desktop machine at work, from home).
It struck me while I was tapping in the passphrases for my newly generated keys that I have no control over the machine that I'm logged in to, or over the link inbetween. I kind of trust the sysadmins at work, and SSH is secure, but none the less... it felt weird to send my fresh passphrases over the link like that.
What do you think? Is it wiser to generate the keys (SSH, GnuPG, or other) locally and then transfer the private keys over SSH, or am I just being paranoid about the whole thing?
Also, if I'm right to be at least slightly paranoid, what's your thought about where to store private keys? Should they all be in one physical place? Should I make heavy use of gpg-agent and ssh-agent always?
I'm working from two separate machines, logging in to a few separate multi-user servers using SSH to do work. I sign Git commits with GnuPG from about four locations (locally and remotely).
I'm working on a mix of Mac OS X (with MacPorts) and Linux machines (with Pkgsrc), but always on the command line.
