I found an article a while ago that mentioned that one should use different SSH keys for different remote hosts on the same client.

The argument goes that if one key gets compromised only one host would get compromised instead of all of the hosts in your ~/.ssh/known_hosts file.

The way I set this up was by doing this.

Step 1)

Create: mkdir ~/.ssh/keys/
Set appropriate permissions: chmod 700 ~/.ssh/keys/

Step 2)

Create different SSH keys for each host: ssh-keygen -t ed25519 -f ~/.ssh/keys/myhost

Step 3)

Add the following to the beginning of your ~/.ssh/config file on your client machine.

Host *
    # Magic happens here, and it happens for all hosts
    IdentityFile ~/.ssh/keys/%h
    # Fallback
    IdentityFile ~/.ssh/id_ed25519

Now when you go to ssh myhost, it will automatically attempt to find a host SSH key in ~/.ssh/keys/ and if it can't then it'll fall back to your main SSH key.

Step 4)

For additional security I recommend implementing changes suggested at SSH-Audit Hardening Guide for your hosts.

Step 5) (optional)

If you have a Yubikey or an OnlyKey you can generate SSH keys that rely on those by doing: ssh-keygen -t ed25519-sk -f ~/.ssh/keys/myhost

Then you can modify your ~/.ssh/config to do this:

Host *
    # Magic happens here, and it happens for all hosts
    IdentityFile ~/.ssh/keys/%h-sk
    IdentityFile ~/.ssh/keys/%h
    # Fallback
    IdentityFile ~/.ssh/id_ed25519

If anyone knows of the first article that mentioned how to do this, I'm happy to credit them.