Skip to content

BrendanThompson/keycrypt

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

59 Commits
 
 
 
 

Repository files navigation

keycrypt

keycrypt is a wrapper for generating SSH Keys and then encrypting them with OpenSSL. keycrypt offers other features like copying the pubkey from your local machine to a remote host. This can even be done as part of the create step!

Current Features

  • SSH Key Creation
  • SSH Key Encryption with OpenSSL
  • Copying PubKey to Remote Server (similar to ssh-copy-id)

Future Features

  • Improved PubKey Copying
  • Scanning for unencrypted keys and prompting for encryption

Why would I need this?

The default encryption that ships with SSH isn't the most secure, it comprises of the following:

The header tells us the encryption algorithm that was used: AES-128 in CBC mode. The 128-bit hex string in the DEK-Info header is the initialization vector (IV) for the cipher. This is pretty standard stuff; all common crypto libraries can handle it.

Martin Kleppmann has show below that there are two primary weaknesses in the way SSH encrypts it's keys:

  • The digest algorithm is hard-coded to be MD5, which means that without changing the format, it’s not possible to upgrade to another hash function (e.g. SHA-1). This could be a problem if MD5 turns out not to be good enough.
  • The hash function is only applied once — there is no stretching. This is a problem because MD5 and AES are both fast to compute, and thus a short passphrase is quite easy to break with brute force.

From this it was devised that we could get a higher level of security from using OpenSSL. As such I wanted to automate the process of creating an SSH key and then encrypting it with OpenSSL, and keycrypt was born.


Credits

This idea was fostered from an article written by Martin Kleppmann

About

Generate new SSH key and Encrypt with OpenSSL

Resources

Stars

Watchers

Forks

Packages

No packages published

Languages