View Other Checks

Contents

View Other Checks

How to Find Unencrypted SSH Keys and Encrypt Them

SSH keys are commonly used to sign into servers, push code, and verify identities. It's important they are password-protected.

What Are SSH Keys?

An SSH Key is a two part (public and private key) cryptographic token which is primarily used to facilitate remote secure shell (SSH) access to a computer.

In practice SSH Keys are used to sign in to servers, authenticate to remote repositories like Github, and as a way of verifying the authenticity of files and messages.

How Do SSH Keys End Up Unencrypted?

Engineers and other technical users need to semi-frequently generate new SSH keys to authenticate to various services. To do that they often generate the SSH key pair via the terminal by running the following command:

$ ssh-keygen -t ed25519 -C "first.name@example.com"

During the process they will eventually be asked to set a passphrase with a prompt that looks like the following:

> Enter passphrase (empty for no passphrase): [Type a passphrase]

Unfortunately, this portion of the process can be easily skipped by simply pressing the enter key on the keyboard. If this portion of the process is skipped the private key can be used by anyone who can get possession of the file.

Why do developers skip this step? There are a few reasons that come up in practice:

  • Ignorance - Many developers don’t know there is any security value in adding a passphrase to an SSH key.

  • Perceived Lack of Necessity - Many SSH keys are generated under the assumption they won’t be used to obtain access to anything important and thus adding a passphrase is unnecessary overkill.

  • Convenience - By adding a passphrase, developers often assume they will need to constantly enter a passphrase every time they push code to GitHub or access a commonly used server. By forgoing the password they don’t have to contend with any productivity loss.

While these arguments drive the behavior, none of them are strong. In fact, a lot of the perceived downsides of using an encrypted key can be mitigated with modern tools.

For example, on macOS if an encrypted SSH key is accessed by a process, you will be automatically prompted to enter the passphrase and then you can choose to save it in the keychain.

Locating Unencrypted SSH Keys with Osquery

Osquery (an open-source tool for querying the state of the OS) is capable of locating user SSH keys across devices. It does this by tapping into the ssh-agent on the device and looking for them in common locations on the primary disk like ~./ssh.

Osquery uses SQL to query the system’s current state. Here is an example of a SQL query that can detect all unencrypted SSH keys on disk.

SELECT path FROM user_ssh_keys WHERE encrypted = 0;

Kolide extends osquery’s functionality with additional data like MD5 fingerprint and automatically stores metadata about keys in its built-in Inventory. This allows you to detect things like duplicate SSH keys across devices.

How Do I Encrypt an Unencrypted SSH Key?

Encrypting a pre-existing SSH key is a trivial process. On Mac or Linux simply:

  1. Make note of the private SSH key you wish to encrypt. For this example, let’s assume it’s in /Users/user/.ssh/id_rsa
  2. Open the terminal
  3. Type ssh-keygen -p -f /Users/user/.ssh/id_rsa and press enter

You will be prompted to create a passphrase. We suggest you create a unique passphrase per key and store those passphrases in a secure/approved password manager like 1Password.

You may not see text being entered as you type your password in. Do not worry, this is normal security feature of the terminal and it is receiving your keystrokes.

How Does Kolide Remediate This Problem?

This problem cannot be remediated through traditional automation with tools like an MDM. You need to be able to reach out to users who have devices that fail this check, and then give them precise instructions on how to resolve the problem.

Kolide's Slack app does exactly that. After enrolling devices, Kolide will automatically determine the primary user, introduce itself, and then reach out via Slack when a user's device experiences this problem. From there, it provides step-by-step instructions on how to fix it and gives them tools to verify they did it correctly.

Kolide
Home
Messages
About
9:41
Quin's Macbook • MacBook Pro (16-inch, 2021)
Failing Check: Require SSH Keys Be Encrypted
Reason: Unencrypted SSH Key Detected

Why is this a Problem?

SSH keys are used to allow trusted, encrypted connections to restricted systems. If an unauthorized party obtains an SSH key, they can also gain access to those systems. This is why it is important to protect your SSH keys by encrypting them, therefore making the keys by themselves useless to attackers.

Required Action:

Encrypting SSH keys is a trivial process that should only take a few minutes.

To encrypt your SSH keys on Mac:

  1. Open Spotlight search by using the following keyboard shortcut: 'Command + Spacebar'.
  2. Type Terminal.app in the search bar and press enter to locate and launch your Terminal application.
  3. In the terminal window, enter the command(s) listed at the end of this notification.
  4. You will then be asked to create a passphrase. Consider using a password manager to generate and store a strong, unique password. Enter your chosen password into the terminal and press enter. As a security precaution, your password will not be displayed as you type it.
  5. Once finished, you may close the terminal window.

To encrypt your SSH keys on Linux:

  1. Launch your terminal application and enter the command(s) listed at the end of this notification.
  2. You will then be asked to create a passphrase. Consider using a password manager to generate and store a strong, unique password. Enter your chosen password into the terminal and press enter. As a security precaution, your password will not be displayed as you type it.
  3. Once finished, you may close the terminal window.

To encrypt your SSH keys on Windows:

  1. Open the Windows search bar by using the following keyboard shortcut: 'Windows key + S'.
  2. Type Command Prompt in the search bar and press enter to locate and launch your terminal application.
  3. In the terminal window, enter the command(s) listed at the end of this notification.
  4. You will then be asked to create a passphrase. Consider using a password manager to generate and store a strong, unique password. Enter your chosen password into the terminal and press enter. As a security precaution, your password will not be displayed as you type it.
  5. Once finished, you may close the terminal window.

ssh-keygen -p -f /Users/user/.ssh/id_rsa

I've fixed it. Check again
Contact Admin for help
Want to start delivering this notification automatically to your end-users?
Sign Up With Slack

Share this story:

Related Device Checks:

Find and Secure Plain-Text GitHub 2FA Backup Codes

github, two-factor-codes, unencrypted-credentials, no-mdm-resolution

Find and Securely Store 1Password Emergency Kits

1password, unencrypted-credentials, no-mdm-resolution

Ensure Ubuntu’s Unattended Upgrades Are Turned On

os-updates, patching, debian, ubuntu, no-mdm-resolution
View More of Kolide's Checks
Try Kolide Free
Try Kolide Free