I keep my subkeys on my YubiKey and my master key on a printed QR code in a safe. Submitted some binary data decoding patches to ZBar just to make this easier.
Either you're forced to type in your password 100 times a day (so the rootkit has to wait until you type it in) or you use ssh-agent and your decrypted key is in memory for all to see.
Judging by the downvotes, my suggestion isn't great, though it does seem a tiny bit better.
I was under the impression that 1password uses secure enclave on the Mac and that it only decrypts the key as it's needed. I guess depending on the implementation the decrypted key could be in memory for a moment - or maybe longer.
The GP said they just need access to your .ssh directory (not root access, no mention of a root kit). A pass phrase on the key is a valid mitigation for that level of access.
You don’t need to type it, you can store it in a password manager and copy/paste, which is pretty fast. I do it all the time, it’s not a big deal.
Ok fair, but IMO there are few threat models where that would make a difference. In practice the attacker can just edit your bashrc and alias ssh-agent to log the password. Same for the password manager. Btw user mode rootkits are a thing and they typically don't need root despite the name.
If attacker code can run under your user, you're kinda screwed.
