[ecesena]

I think the most important thing is key rotation, and generally I do it every year or so.

I prefer a single ssh key for almost everything. It's on only 1 laptop that I use daily. There is no protection on the key itself, but I always lock the laptop screen (password protected) when I leave the laptop alone.

I have other laptops/devices, usually with different keys. My "master" key is also on my 2nd laptop. Although I could have a passphrase there, I still prefer no protection except screen locking. This said, this 2nd laptop never leaves my home, where only trusted (and "innocuous") people can touch it.

[Freak_NL]

A private key without a passphrase can be used by anyone who gets hold of it. Why disable the extra protection a passphrase affords? With an ssh agent you can store the passphrase in the keychain you unlock when you log on, so you won't have to type it whenever you use it, unless you ssh into your own machine and try to use the key from the remote shell (which makes sense).

Of course, in every security scenario the risks determine the level of security, but having a passphrase has no practical downsides.

[akulbe]

I'm not arguing with you on what you said. You're certainly right. If someone gets that key, they've got access to everything.

I would add this. If someone malicious gets physical access to your laptop, you've got bigger problems to deal with. ;)

[ecesena]

Yes, that makes sense - it would be protected at rest. (I guess the reason why I don't feel the need is that "at rest" for my specific laptop means nobody is using it and it's disconnected from the LAN/Internet)