Storing ssh passphrase on an external drive

Question

In order to access a server we use ssh where the keys protected by a passphrase.

We want to generate a long passphrase such that the keys themselves are not enough to access that machine and the passphrase is hard to hack.

ssh-agent can store passphrases. The problem is however that such agent stores the passphrase in a file at the client side, which makes it easier to access the server if one has access to the client machine.

Is it possible to store part of the passphrases on an external drive. In that case one can store the passphrase let's say on a USB drive one caries with him and accessing the server is still convenient. It should be nice if the ssh-agent could detect the drive automatically such that one can invoke ssh without having to "bind" the external drive to the ssh-agent first.

As a concequence one should only be able to access the server given he/she has access to both the client (storing the ssh keys) and the external drive (storing the passphrase).

Answer 1

Do you mean the situation when someone leaves a working machine? Because as far as I know if the PC goes to Shutdown a passphrase disappears since it's stored only in RAM, whilst hash of the passphrase is kept on the hard drive.

Even if you could what you are asking about, I think if a person should take care about bringing a USB disk (containing a hash of a passphrase on it) with him/her to access a remote server from a local machine and take it away when leaves, then that is the same level of means as Screen Locking. This is the same level of organizing as it's a sort of physical means of defending at the end of console/terminal. In terms of such physical actions (s)he has to remember one thing to do: either unplug the USB disk or Lock Screen. So why?