0

On my remote Server, I have SSH configured to only allow logins via Public Key. Currently, only the Key from my desktop machine is allowed to connect.

Now, if I should somehow loose the corresponding private-key, I'd be locked out of my Server. Therefor, I thought I should back that private-key up, preferably on another machine.

Seeing that the private key is encrypted (symmetrically) with a passphrase, can I just put it on Dropbox or Google Drive? Or do I need additional encryption like PKCS #12?

I read similar questions around here and the general consensus seems to be that the private key should never leave the machine it was created on. If that's so, whats the usual procedure for a situation like mine? Do I have to allow password-only logins as a fallback mechanism?

Lukas Knuth
  • 113
  • 4
  • What about storing it on a USB stick and put that somewhere safe? – Jeroen Feb 04 '17 at 21:13
  • What if I loose it? I could also put it onto my NAS, but that's in the same room than my PC, so a fire would take out both. Seems unlikely, I know, but a redundant server system seems much saver to me (in respect to loosing something). – Lukas Knuth Feb 04 '17 at 22:12
  • What about paper? Good example with QR code. http://security.stackexchange.com/a/51776/138394 – Tomiak Feb 04 '17 at 22:18
  • @Tomiak that's actually pretty neat :) Can either of you shed some light on the second part? – Lukas Knuth Feb 04 '17 at 22:25
  • if it's encrypted, you can put it on a billboard... I understand the human instinct to control it though ;) – dandavis Feb 05 '17 at 02:36

1 Answers1

1

I would strongly advice against putting it on some cloud storage like dropbox because you have no control over the security at their side. But if you must I would suggest that you use KDF when encrypting your private key. (se -a and -o in ssh-keygen manual)

Also some suggest usb sticks, but these break. But of course you could make two. USB sticks are extremely cheap these days. If you then store these in a safe place preferably in some tamper evident seal, like envelopes or actual tamper evident bags, you can be pretty sure no one have used them but you. But of course the key should still be encrypted and use KDF.

My favourite option is actually hardcopy. Basically just print the encrypted key out. If you want you can make a QR code out of it first for better machine readability but thats up to you.

A sort of off topic solution could be to use smart cards to store the keys and have the same key on multiple physical tokens. (pretty similar to the USB stick solution but more secure. Here is a short guide on how to use a yubikey with smart card to store ssh keys:

https://framkant.org/2015/11/using-smart-card-enabled-yubikey-for-ssh-authentication-in-freebsd/

Peter
  • 429
  • 3
  • 15