Saying if I am deploying my application to the server using git, and the repository needs authentication to be pulled, it will be very convenient if I just upload my private key there.
However is it a good idea to do so?
Asked
Active
Viewed 47 times
1
-
1Use a second keypair, which has only read-only access to the git repository. – Michael Hampton Jul 08 '15 at 23:25
-
Thanks @MichaelHampton That's really a good idea. But sad thing is it's not easy to be done using GitHub. – Ivor Zhou Jul 09 '15 at 00:51
-
I add multiple keys into github all the time. Why do you say it isn't easy? – chicks Jul 09 '15 at 01:04
-
If you're checking out from a public github repo you don't need keys at all? And from a private repo you only need to add another keypair as a [read-only deploy key](https://developer.github.com/guides/managing-deploy-keys/). – Michael Hampton Jul 09 '15 at 01:05
1 Answers
3
If you're talking about the private key you use to authenticate to your server, then absolutely not. That key needs to truly stay private, never leaving your machine, and definitely encrypted with a passcode. If you need to deploy software from your server, then generate a separate key pair for that purpose, that has severely restricted privileges on the systems its deploying from.
EEAA
- 109,363
- 18
- 175
- 245