26 April 2022
SSH Key has been the de facto standard to manage your infrastructure for the last decade. Even if it’s less the case in modern infrastructure, we continue to use SSH keys for some use cases, like with AWS System Manager.
Protecting your SSH keys should be your top priority: they gave access to your infrastructure (through a bastion, for example). It’s recommended to rotate them, but from my experience, this is rarely the case. Other people will use passphrases on the SSH key, but it’s really painful to use.
There is another - and better - way to have both a high-security level for the storage and an easy workflow to use your keys. Simply load them into your SSH Agent with the help of KeePassXC.
Keep your secret, secret
Your SSH keys are secrets (the private part). So the best way to store them is to handle them like your other secrets (passwords, API keys, etc.) in your personal secret manager.
I assume that you already have one because it’s a very basic security best practice, applicable for your staff and organization secrets. That allows you to use a complex, unique and random password every time you need one.
There are many options to manage your secrets on your favorite desktop. You could use Dashlane, 1Password, or Bitwarden. Personally, I have been using KeePassXC for many years, and I’m very happy with it because there is an option only available (as far as I know) on it: manage your SSH keys with it. We will cover this part in a few words.
Even if it’s not the purpose of this article, a few things I really like with KeePassXC over other solutions:
- KeePassXC is Open Source and well maintained
- Support for MacOS X (even M1) and the ability to unlock the database with my fingerprint
- I store my secret database on a Google Drive that allows me to access my secrets everywhere, even on my phone with Keepass2Android
- Integration with Firefox works very well and allows me to quickly log in to most of the websites I use daily (it’s not 100% but close too)
- Everything is encrypted inside the database, even other information not secret (login, Website URL, my SSH keys, added files, etc.)
- Versioning of secret is available
Why use KeePassXC to manage your SSH keys on your SSH agent?
Since you can protect your SSH keys with a passphrase, why is it better to store them inside KeePassXC?
If your SSH keys are protected with a passphrase, you have to enter your passphrase every time you need to use them. When you are doing this a hundred times in your daily routines, it’s very painful, and you are losing a lot of time (who said it’s toil?). Also, every key should have a different password. So you store your passwords in a password manager, like KeePassXC, and copy and paste your secrets all day long.
To avoid this nightmare, some people store their keys AND the passphrase within SSH Agent. Since it’s a good and widely used solution, I don’t want to have my keys loaded into SSH agent.
Here comes this awesome feature from KeePassXC that allows you to load and unload your keys into your SSH agent when you unlock or lock your secret database. In addition, because you can handle how the application is keeping your database open, you can also control how you maintain your keys available in SSH Agent. It means, for example, that when you lock your session, your keys are unloaded from SSH Agent and will only be available the next time you unlock your database. And ALL the keys will be loaded/unloaded this way. So, with only one action, all my keys are available (or unavailable). Combined with fingerprint unlock, it’s never an issue, and I save a lot of time every day for more interesting things than entering a passphrase for my SSH keys in addition to keeping my keys secret.
If you don’t already have KeePassXC on your desktop, here is a quick installation guide. If you already have it, go to the next part.
To install KeepassXC, go to the download page and choose the appropriate version regarding your operating system.
On MacOS X you can quickly install it with brew:
brew install --cask keepassxc
Once installed, launch the application.
Now the first thing to do is to create your secret database. Click on “Create new database” and fill the form.
Then, click on “Continue” to choose the encryption parameters for your secret database.
Default are goods, but you can customize the encryption algorithm in the “Advanced Settings”. For example, you can use ChaChat20 256-bit for encryption.
Keep in mind that all encryption algorithms available are very good choices. If you are not an expert in the mathematical differences between them, all options are good enough regarding today's security standards.
Once you have chosen the settings that meet your requirements, click on continue and enter your secret database password.
⚠ This is one of the most important passwords you have to create and memorize. With a secret manager, you have only one password to remind. So decide carefully regarding current best practices.
Here are a few guidelines :
- Length is more significant than complexity because length is a major factor to increase the time to crack the password. The NIST recommendation is 8 characters minimum, but I recommend for your master password at least 16 characters (remember that you have only one password to remind now!)
- Use both alphabet letters, uppercase and lowercase, and numbers
- Add one or more special characters, like ! - ; .
A common usage is to use a phrase that you can easily memorize, for example: The Cake Is a Lie !42
Click on “Done” to finally create your password database.
Store your SSH keys and load them into your SSH agent
Since you have your first database, or if you already use KeePassXC, it’s time to load your SSH keys into your database and allow KeePassXC to load and unload them into your SSH agent.
Assuming we have an ed25519 key pair :
ssh-keygen -t ed25519 -C "bastion production" Generating public/private ed25519 key pair. Enter file in which to save the key (/Users/padok/.ssh/id_ed25519): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /Users/padok/.ssh/id_ed25519 Your public key has been saved in /Users/padok/.ssh/id_ed25519.pub The key fingerprint is: SHA256:pPcl+pI2TTkzIL6psB/13wwxQLOA9jZp1+A/E+sHI3Q bastion production The key's randomart image is: +--[ED25519 256]--+ | .. o | | o o.o | | . . o+o | | Bo=.E | | +o=S+++. | | ..o.o&= | | . . oo*oO | | o .o =oo+. | | ..o. . oo.o | +----[SHA256]-----+
Now, open your secret database and add a new entry.
Once you have named your new secret (“bastion production ssh key” in this example), go to the Advanced menu on the left.
Click on “Add” to add your private SSH key.
Your file will appear in the “Attachments” part.
One important thing here is that your private key file is now stored inside your database! That means you can safely delete it from your computer!
Next, go to the “SSH Agent” menu on the left.
Select the two first options:
- Add key to agent when the database is opened/unlocked
- Remove key from agent when the database is closed/locked
Depending on your usage and your security needs, you could also unload your key after several seconds. It’s up to you.
Also, select your file previously imported in the Attachment part (from the drop-down menu). You will see that your private key file is available, and once selected, we could see some information, including the Public key (available for copy!).
Finish the creation of your secret by clicking on “Ok”. And that’s all you need to have your keys loaded into your SSH Agent!
Lock and unlock your database to see that the key is now available in your agent:
ssh-add -l 256 SHA256:pPcl+pI2TTkzIL6psB/13wwxQLOA9jZp1+A/E+sHI3Q bastion production (ED25519)
Yes! It’s your key (mine in this example …).
Bonus tips for MacOS X users
By default, KeePassXC prevents recordings and screenshots of the application window on Windows and macOS.
As said in the documentation, you can’t take a screenshot of KeePassXC. It’s a good security feature. But if one day you need to do it (like, when writing an article about this awesome tool), we will have to bypass this option. The manual says to launch the application with --allow-screen capture parameter. But how to do it on MacOSX? Here we go:
open -a KeePassXC.app /dev/null --args --allow-screencapture
I hope this article convinces you that KeePassXC is a great piece of software and can do more than securely store your passwords: it could help you in your daily routine by keeping your SSH key secret and save time when you use them.
If you have any questions, or if you think I missed something with my KeePassXC / SSH Agent usage, feel free to contact me, I will be happy to continue the conversation.