Managing your SSH keys securely
Solution using Ledger Nano
Ledger Nano devices (Nano S and Nano X) are open platforms leveraging the security of Secure Elements. Ledger Operating System (OS) loads applications that use cryptographic APIs. The OS also offers isolation and key derivations mechanisms.
This technology provides a high level of security even against an attacker who has physical access to your devices.
Thus, Nano devices are the perfect tools to manage your crypto assets securely. But they are also very well suited to keeping your SSH keys.
SSH keys and Security
SSH, or Secure Shell is a remote administration protocol. It allows users to set up a secure channel between your computer and potentially insecure networks. This channel benefits from two security properties:
Authentication consists in proving the identity of a computer. In the case of SSH, it is ensured using digital signatures. Using the SSH app means these signatures are made within the Nano device, meaning the private key never leaves the secure element inside.
Confidentiality is ensured sharing an ephemeral key between both parties. This key sharing is carried out using an (EC)DH.
Usually, people store their keys on their computers. A good practice is to protect them using a passphrase. In this setup, when the key is required, the user is requested to enter the passphrase to decrypt the private key.
$ ssh [email protected] Enter passphrase for key '/home/username/.ssh/id_rsa': **********
If an attacker has full control of your computer, they could access your private keys and intercept your passphrase.
Using your Nano device there is an additional layer of security. It protects your SSH key against an attacker trying to compromise your computer. The keys never leave the Nano device. Using them always requires user consent
SSH keys generation
Generating cryptographic material is a difficult task. It requires a good source of entropy and needs to be implemented in a secure enclave to ensure the integrity of the whole generation mechanism and the confidentiality of the generated keys.
Secure Elements (Smartcard chips) are well suited to these requirements. They are embedded with a high-quality True Random Number Generator (TRNG) which is the source of entropy. The TRNG has been evaluated by a 3rd party laboratory and has obtained the highest level security certifications EAL5+, AIS-31. This is why the Secure Element inside the Nano device fulfills the role of a secure enclave for integrity and confidentiality.
Below is an easy step-by-step tutorial to use your nano for securing your SSH keys.
The SSH tool is very simple, as it has two parts:
- An App running on the Nano (S/X) – source code
- An Agent running on the Linux machine – pip package
The app running on your device is in charge of both key management and the computation digital signatures for authentication.
Get you Nano S or your Nano X, make sure you have enough space to install the app.
To install the app, launch Ledger Live on your desktop. Then, in Ledger Live
- Go to Settings > Experimental Features, and activate Developer Mode
- Install the app on your Nano. In the Manager, look for the SSH app and install it.
You should now have the SSH/PGP Agent installed on your Nano device.
- Install python3 and libusb, if you don’t have it already:
$ sudo apt install python3 libusb
- Then, install ledger_agent.
$ pip3 install ledger_agent
Generate the SSH key on the device
Unlock your Nano and launch the SSH/PGP Agent app.
On a terminal, run ledger-agent:
$ ledger-agent [email protected]
You will be requested to confirm the operation on the device.
You now have a public key. For example:
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCSu3oGKedvLzJpzQr0kGCr7eIyXy67zszMcQCnDUmeAzqlZt9skK0vM/HDquta8vNH77Y9gfjaEWozzfpYCSe0= <ssh://[email protected]|nist256p1>
You can copy it in the $HOME/.ssh/authorized_keys file of the remote server.
To use this key with your usual SSH Agent and Git, etc
Add the SSH Public key Identifier into a file.
$ echo "<ssh://[email protected]|nist256p1>" > "$HOME/.ssh/nanox-keys.conf.pub"
And then run the ledger-agent to link it with the shell.
$ ledger-agent "$HOME/.ssh/nanox-keys.conf.pub" -s -v
You can now connect to a remote server using ssh from your device.
$ ssh [email protected]
You can also use Git the same way. For instance, with Github:
- In the Github Settings > SSH and GPG keys, add a new SSH key
Then you can use Github with SSH, and the SSH keys are secure in your device.
$ git clone [email protected]:LedgerHQ/ledger-app-btc.git
Et voilà. Your SSH keys are now secure 🙂
For further reading: An interesting blogpost on best practices for using SSH. The article is a little old but certainly useful.