Managing your SSH keys securely

Solution using Ledger Nano

Ledger Nano devices (Nano S and Nano X) are open platforms leveraging the security of Secure Elements. Ledger Operating System (OS) loads applications that use cryptographic APIs. The OS also offers isolation and key derivations mechanisms.

This technology provides a high level of security even against an attacker who has physical access to your devices.

Thus, Nano devices are the perfect tools to manage your crypto assets securely. But they are also very well suited to keeping your SSH keys.

SSH keys and Security

SSH, or Secure Shell is a remote administration protocol. It allows users to set up a secure channel between your computer and potentially insecure networks. This channel benefits from two security properties:

• Authentication
• Confidentiality

Authentication consists in proving the identity of a computer. In the case of SSH, it is ensured using digital signatures. Using the SSH app means these signatures are made within the Nano device, meaning the private key never leaves the secure element inside.

Confidentiality is ensured sharing an ephemeral key between both parties. This key sharing is carried out using an (EC)DH.

Usually, people store their keys on their computers. A good practice is to protect them using a passphrase. In this setup, when the key is required, the user is requested to enter the passphrase to decrypt the private key.

$ ssh username@hostname
Enter passphrase for key '/home/username/.ssh/id_rsa': ********** 

If an attacker has full control of your computer, they could access your private keys and intercept your passphrase.

Using your Nano device there is an additional layer of security. It protects your SSH key against an attacker trying to compromise your computer. The keys never leave the Nano device. Using them always requires user consent

SSH keys generation

Generating cryptographic material is a difficult task. It requires a good source of entropy and needs to be implemented in a secure enclave to ensure the integrity of the whole generation mechanism and the confidentiality of the generated keys.

Secure Elements (Smartcard chips) are well suited to these requirements. They are embedded with a high-quality True Random Number Generator (TRNG) which is the source of entropy. The TRNG has been evaluated by a 3rd party laboratory and has obtained the highest level security certifications EAL5+, AIS-31. This is why the Secure Element inside the Nano device fulfills the role of a secure enclave for integrity and confidentiality.

Step-by-step setup

Below is an easy step-by-step tutorial to use your nano for securing your SSH keys.

The Apps

The SSH tool is very simple, as it has two parts:

• An App running on the Nano (S/X) – source code
• An Agent running on the Linux machine – pip package

The app running on your device is in charge of both key management and the computation digital signatures for authentication.

Installation

Get you Nano S or your Nano X, make sure you have enough space to install the app.

To install the app, launch Ledger Live on your desktop. Then, in Ledger Live

• Go to Settings > Experimental Features, and activate Developer Mode

• Install the app on your Nano. In the Manager, look for the SSH app and install it.

You should now have the SSH/PGP Agent installed on your Nano device.

• Install python3 and libusb, if you don’t have it already:

$ sudo apt install python3 libusb

• Then, install ledger_agent.

$ pip3 install ledger_agent

Generate the SSH key on the device

Unlock your Nano and launch the SSH/PGP Agent app.

On a terminal, run ledger-agent:

$ ledger-agent username@hostname

You will be requested to confirm the operation on the device.

You now have a public key. For example:

ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCSu3oGKedvLzJpzQr0kGCr7eIyXy67zszMcQCnDUmeAzqlZt9skK0vM/HDquta8vNH77Y9gfjaEWozzfpYCSe0= <ssh://username@hostname|nist256p1>

You can copy it in the $HOME/.ssh/authorized_keys file of the remote server.

To use this key with your usual SSH Agent and Git, etc

Add the SSH Public key Identifier into a file.

$ echo "<ssh://username@hostname|nist256p1>" > "$HOME/.ssh/nanox-keys.conf.pub"

And then run the ledger-agent to link it with the shell.

$ ledger-agent "$HOME/.ssh/nanox-keys.conf.pub" -s -v

You can now connect to a remote server using ssh from your device.

$ ssh username@hostname

You can also use Git the same way. For instance, with Github:

• In the Github Settings > SSH and GPG keys, add a new SSH key

Then you can use Github with SSH, and the SSH keys are secure in your device.

$ git clone [email protected]:LedgerHQ/ledger-app-btc.git

Conclusion

Et voilà. Your SSH keys are now secure 🙂
For further reading: An interesting blogpost on best practices for using SSH. The article is a little old but certainly useful.