Because of this, I choose to generate SSH keys for specific purposes or clients, thus limiting the “blast radius” a leaked key will have. It’s a lot easier to re-key 2 servers than 25.Įverything, we have compartmentalized our keys but now you have a new problem. Now you have become the digital equivalent of a building superintendent with massive ring of keys and no easy way to keep track of their usage. I’m going to talk about what I’ve done to solve this issue with security in mind, without disrupting my existing workflow and using the now native Windows OpenSSH service. I wrote this guide with Windows 10/11 in mind, but should also work on Linux and MacOS OpenSSH agents. I’ve been using KeePass for almost a decade now. I love the personal control I have over my vault, and when I started using it in 2012 most of the cloud password managers were not as strong as they are today. Nothing against them, I still advocate for Bitwarden for anyone looking at a simple cloud and free password manager. If you are debating on switching to a password manager (which by the way, you should) and don’t need crazy SSH key control, Bitwarden is fine. KeePass being Open Source has many forks and client implementations, my favorite and choice for this being KeePassXC. KeePassXC offers a built-in SSH Agent capable of storing your private keys inside your encrypted vault, and only presenting keys to the agent when requested. I’ve been using SSH key authentication for a while now, but had limited control over my keys, defaulting to: KeePassXC also offers a nice interface for auto fill browser plugins, but that is out of scope here. Keeping some SSH keys in ~/.ssh/ and configuring ssh-agent to read them.Manually selecting a SSH key on every authentication ssh -i ~/.ssh/id_client.These solutions worked, but had some flaws: Required to keep SSH keys lying around on computers, some without passphrases.Mental gymnastics keeping track of keys + locations.Not easily portable or synced across multiple systems.Moving to KeePassXC for SSH key management allowed me to do the following: I once found myself 1000’s of miles away from home without my SSH keys to a degraded production system. This is now 1 file to keep track of and keep safe. Encrypted at rest, irregardless of if passphrases are on the keys or not.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |