> It’s where you keep the mechanism secret, not the key.
I think this can be, as you write, defense in depth if the secret of the mechanism is not the only defense.
As example the block cipher for the Common Scrambling Algorithm https://en.wikipedia.org/wiki/Common_Scrambling_Algorithm has been secret.
As it seems that has delayed the analysis of the system for about 8 years, but not damaged the procedure.
Technically defense in depth refers to multiple effective security measures (like cryptographic login), so security by obscurity isn't actually part of it.
(Moving SSH port plus something like fail2ban could be considered defense-in-depth against the incidental DDOS-like issues, though.)
> It’s where you keep the mechanism secret, not the key.
I think this can be, as you write, defense in depth if the secret of the mechanism is not the only defense.
As example the block cipher for the Common Scrambling Algorithm https://en.wikipedia.org/wiki/Common_Scrambling_Algorithm has been secret. As it seems that has delayed the analysis of the system for about 8 years, but not damaged the procedure.