Guides

Security

How to manage SSH keys for client infrastructure

Keep infrastructure access understandable when multiple people need safe access to servers and deployments.

Updated Jun 22, 2026 2 min read

Why SSH key management matters

SSH keys are one of the quiet risks in agency infrastructure. They are easy to add during a launch and easy to forget after a project changes hands. Shared keys, old contractor access, and unclear server access can turn simple maintenance into a security problem.

ForgedBase helps teams keep SSH access attached to users, providers, servers, and site workflows instead of scattering keys across private notes.

Prerequisites

  • A list of people who need infrastructure access.
  • Individual SSH public keys for each operator.
  • Provider connections that support key sync.
  • A decision about who can manage keys in the workspace.
  • A review process for old client or contractor access.

Step-by-step workflow

  1. Collect individual SSH public keys instead of sharing one key.
  2. Add trusted keys to the workspace.
  3. Sync keys to providers or servers where appropriate.
  4. Confirm which servers each key should reach.
  5. Use deployment-specific access only where needed.
  6. Remove keys that no longer belong to active team members.
  7. Review access before and after production launches.
  8. Document who owns emergency access.
  9. Rotate or remove keys after contractor work ends.
  10. Keep key changes visible in activity history.

Where ForgedBase helps

ForgedBase gives SSH keys context. A key is not just a text blob. It belongs to a person, access workflow, provider sync, server, or deployment need. That context makes access reviews more practical.

For agencies, this is especially useful when multiple client projects are active and different people need different levels of access.

Common issues to check

  • Multiple people use the same SSH key.
  • A contractor key remains after the project ends.
  • Provider keys are updated but server access is not reviewed.
  • Deployment access is confused with general shell access.
  • Emergency access exists but nobody knows who owns it.
  • Key changes are not documented during handoff.

Related ForgedBase docs

Access checklist

  • Individual keys used.
  • Workspace permissions reviewed.
  • Provider sync checked.
  • Server access confirmed.
  • Contractor access expiry planned.
  • Old keys removed.
  • Emergency owner documented.
  • Changes visible to the team.

FAQ

Common questions

Should every team member share one SSH key?

No. Individual keys are easier to review, revoke, and audit when people join or leave a project.

Should SSH key access be reviewed after launch?

Yes. Access should be reviewed whenever a project changes owner, contractor access ends, or infrastructure becomes production-critical.

Related guides

Providers

How to choose a cloud provider for agency sites

A provider-selection checklist for agencies launching Laravel, WordPress, PHP, and client sites through ForgedBase.

Read guide

Deployments

How to connect source control for site deployments

A practical guide to connecting repositories, reviewing deployment scripts, and keeping release history visible for client sites.

Read guide

PHP

How to deploy a PHP site with Git and SSL

A straightforward launch path for PHP sites that need Git deploys, HTTPS, and operational visibility without a full framework workflow.

Read guide