Protect your SSH Private Keys

2013-06-16

Update (2018-08-29): Ignore the whole post below. Use only the "new" OpenSSH private key encryption format that came out in 2013. "You can upgrade existing keys with ssh-keygen -p -o -f PRIVATEKEY."

Martin Kleppmann investigates how OpenSSH stores private keys on his blog. If you protect your OpenSSH private key with a passphrase, it will be encrypted with AES-128-CBC by default. However, the PKCS #8 standard in combination with PBKDF2 is superior with regard to protection. Fortunately, you can convert your existing private keys to the stronger format using the following sequence of commands (assuming that your private key is located at ~/.ssh/id_rsa):

$ mv ~/.ssh/id_rsa ~/.ssh/id_rsa.old
$ openssl pkcs8 -topk8 -v2 des3 -in ~/.ssh/id_rsa.old -out ~/.ssh/id_rsa
$ chmod 600 ~/.ssh/id_rsa

Now you should check that the new key works. In the aforementioned blog entry, rm is used to remove the old key. However, I recommend using the tool shred to overwrite the old key before deletion to prevent adversaries from restoring the old encrypted private key. Make sure that shred works on your file system as expected, i.e., it really overwrites file data in place. The corresponding command is:

$ shred -u ~/.ssh/id_rsa.old