keycrypt is a wrapper for generating SSH Keys and then encrypting them with OpenSSL. keycrypt offers other features like copying the pubkey from your local machine to a remote host. This can even be done as part of the create step!
- SSH Key Creation
- SSH Key Encryption with OpenSSL
- Copying PubKey to Remote Server (similar to ssh-copy-id)
- Improved PubKey Copying
- Scanning for unencrypted keys and prompting for encryption
The default encryption that ships with SSH isn't the most secure, it comprises of the following:
The header tells us the encryption algorithm that was used: AES-128 in CBC mode. The 128-bit hex string in the DEK-Info header is the initialization vector (IV) for the cipher. This is pretty standard stuff; all common crypto libraries can handle it.
Martin Kleppmann has show below that there are two primary weaknesses in the way SSH encrypts it's keys:
- The digest algorithm is hard-coded to be MD5, which means that without changing the format, it’s not possible to upgrade to another hash function (e.g. SHA-1). This could be a problem if MD5 turns out not to be good enough.
- The hash function is only applied once — there is no stretching. This is a problem because MD5 and AES are both fast to compute, and thus a short passphrase is quite easy to break with brute force.
From this it was devised that we could get a higher level of security from using OpenSSL. As such I wanted to automate the process of creating an SSH key and then encrypting it with OpenSSL, and keycrypt was born.
This idea was fostered from an article written by Martin Kleppmann