I want to tell you how to safely store SSH keys on a local machine without fear that some application can steal or decrypt them.
The article will be useful to those who have not found an elegant solution after in 2018 and continues to store keys in $HOME/.ssh.
To solve this problem, I suggest using , which is one of the best password managers, it uses strong encryption algorithms and also has a built-in SSH agent.
This makes it possible to securely store all keys directly in the password database and automatically add them to the system when it is opened. As soon as the database is closed, the use of SSH keys will also become impossible.
First of all, let's add the autostart of the SSH agent at login, to do this, open ~/.bashrc in your favorite editor and add to the very end:
SSH_ENV="$HOME/.ssh/environment"
function start_agent {
echo "Initialising new SSH agent..."
/usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}"
echo succeeded
chmod 600 "${SSH_ENV}"
. "${SSH_ENV}" > /dev/null
}
# Source SSH settings, if applicable
if [ -f "${SSH_ENV}" ]; then
. "${SSH_ENV}" > /dev/null
#ps ${SSH_AGENT_PID} doesn't work under cywgin
ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {
start_agent;
}
else
start_agent;
fiAfter that, we need to enable support in KeePassXC:
Tools -> Parameters -> SSH agent -> Enable SSH Agent
This completes the setup, now let's try to add a new SSH key to KeePassXC:
Click on the icon with the key, then fill in the data:
If the key is password-protected, also enter the password for it.
On the Advanced tab More upload attachment with our id_rsa:
On the Advanced tab SSH agent, note:
- Add key to agent when opening/unlocking database
- Remove key from agent when closing/locking database
Next, we choose our key (id_rsa) in the attachment
And press the button Add to agent:
Now, when you start KeePassXC, the key will be automatically added to the SSH agent, so you don't have to store it on disk anymore!
Source: habr.com