Security Intermediate By Samson Tanimawo, PhD Published Nov 21, 2026 8 min read

SSH Key Rotation in 2026: When and How

SSH keys without rotation are passwords without expiry. Modern alternatives mostly remove the problem.

Why default keys are a risk

SSH keys grant access until revoked. Engineers leave; their keys remain authorized; access lingers.

Rotation as ritual is the band-aid; ephemeral certs are the fix.

Rotation cadences by use

Human keys: 90-day rotation acceptable; 30-day better.
CI/CD keys: rotate on every deploy of CI; very short-lived.
Backup keys: rare access; rotate quarterly.

SSO + ephemeral certificates

Modern: federate via SSO; issue short-lived (hours) SSH certificates from a CA. Engineers do not manage keys at all.

Tools: HashiCorp Vault SSH CA, Smallstep, Teleport, AWS Systems Manager Session Manager (which removes SSH entirely).

Migration paths

Phase 1: SSO + Vault SSH CA for one team. Phase 2: deprecate static keys for that team. Phase 3: org-wide.

12-month migration is realistic; do not try faster.

Antipatterns

Static keys with no rotation cadence. Lingers years.
Mass key removal without warning. Outage.
SSH everywhere when SSM works. SSM removes the key problem entirely.

What to do this week

Three moves. (1) Pick one production system to apply this pattern to first. (2) Measure the security signal before/after. (3) Document the gap and write a follow-up ticket so the program stays alive between quarterly reviews.