Now that OpenSSH supports Elliptic curve security keys (since version 8.2), it's possible to generate a ed25519-sk
key on a hardware security key:
$ ssh-keygen -t ed25519-sk -C comment
This generates a public and a private key parts. How sensitive is the private part that goes into file ~/.ssh/id_ed25519_sk
?
As it seems it's required for the ability to use the security key on another machine, so I assume it's necessary to distribute it to all client machines usable with the key or store on some removable medium. Does it pose a security risk, or is the private file simply useless without the hardware key?
And somewhat related question: Does this process overwrite the key stored on the hardware, that is, is it possible to have only one such SSH key for each hardware key?