I am using WinSCP .NET assembly to upload files over SFTP, and one of the SessionOptions properties is SshPrivateKeyPath which is the location of the private key file that I created with PuTTYgen. The file is on the C: drive on my PC:
SessionOptions sessionOptions = new SessionOptions
{
SshPrivateKeyPath = "C:\Users\blah\Documents\MyPrivateKey.ppk";
}
note: I actually have the filepath as a config setting, but you get the idea.
Doing this makes sense to me as when deployed to a test/live environment, the key and its location will be different. Also as it's not part of the project it keeps it out of source control.
However I can't seem to find a standard approach to this and I worry that what I'm doing is not the right thing to do. Any suggestions?
There's no definitive answer to your question. It's basically something that should be part of your software specification.
But to give some answer:
If the application uses the key for its internal use, i.e. the end user is not aware that the application uses SSH/SFTP to send some data somewhere, the key should be part of the application.
In that case, either deploy the key to your application installation folder or embed it into your binary.
Note that this is obviously a security issue. As long as your application need to contain credentials (be it private key or password) of your server, the end user can get hold of the credentials and abuse them. No matter how hard you try to hide them.
So the credentials must have as little privileges as possible. For example, if the application uploads files to the server, the account for which the private key (or password) is for, should allow only the upload and nothing else. It should not allow modification of existing files. It should not even allow listing of exiting files. It should have a limit on file size. Etc, etc. If you are not experienced with this, you really need to get this set up by someone experienced.