Generate new SSH key and Encrypt with OpenSSL
Shell
Switch branches/tags
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
README.md
keycrypt

README.md

#keycrypt

keycrypt is a wrapper for generating SSH Keys and then encrypting them with OpenSSL. keycrypt offers other features like copying the pubkey from your local machine to a remote host. This can even be done as part of the create step!

####Current Features

  • SSH Key Creation
  • SSH Key Encryption with OpenSSL
  • Copying PubKey to Remote Server (similar to ssh-copy-id)

####Future Features

  • Improved PubKey Copying
  • Scanning for unencrypted keys and prompting for encryption

###Why would I need this?

The default encryption that ships with SSH isn't the most secure, it comprises of the following:

The header tells us the encryption algorithm that was used: AES-128 in CBC mode. The 128-bit hex string in the DEK-Info header is the initialization vector (IV) for the cipher. This is pretty standard stuff; all common crypto libraries can handle it.

Martin Kleppmann has show below that there are two primary weaknesses in the way SSH encrypts it's keys:

  • The digest algorithm is hard-coded to be MD5, which means that without changing the format, it’s not possible to upgrade to another hash function (e.g. SHA-1). This could be a problem if MD5 turns out not to be good enough.
  • The hash function is only applied once — there is no stretching. This is a problem because MD5 and AES are both fast to compute, and thus a short passphrase is quite easy to break with brute force.

From this it was devised that we could get a higher level of security from using OpenSSL. As such I wanted to automate the process of creating an SSH key and then encrypting it with OpenSSL, and keycrypt was born.


###Credits

This idea was fostered from an article written by Martin Kleppmann