Mobile SSH Keys: Secure Copying

TL;DR

Copying private keys to mobile devices is risky. Use strong encryption, avoid direct file transfer, and consider using key agents or hardware security modules for better protection. Regularly review and revoke keys.

Securely Copying SSH Keys to Mobile Devices: A Step-by-Step Guide

1. Understand the Risks

• Mobile devices are more easily lost or stolen than traditional computers.
• They often have less robust security measures in place.
• Compromised keys can grant attackers access to your servers and accounts.

Choose a Secure Transfer Method

• Avoid direct file transfer (e.g., USB, email). These methods are inherently insecure.
• Use SSH with key-based authentication to securely copy the key. This requires an existing server you trust.

ssh user@server 'cat /path/to/private_key' > private_key

Utilize a secure file transfer protocol like SCP or SFTP. Ensure your connection is encrypted.

Encrypt the Private Key

• Before transferring, encrypt the key using a strong passphrase. This adds an extra layer of protection even if the device is compromised.

openssl aes-256-cbc -in private_key -out encrypted_private_key -k "your_strong_passphrase"

Remember this passphrase! You’ll need it to decrypt and use the key.

Secure Storage on the Mobile Device

• Use a dedicated SSH client app with built-in key storage. Many apps offer secure storage options, often using device encryption. Examples include Termius or JuiceSSH.
• If storing in a general file system:
• Store the encrypted key in a hidden directory.
• Set strict permissions on the key file (read/write only for your user). On Android, this might involve using a file manager with advanced permission controls. On iOS, access to files is more controlled by the app itself.

Key Agent Considerations

• Some SSH clients support key agents. A key agent stores your decrypted private key in memory for a limited time, allowing you to authenticate without repeatedly entering your passphrase.
• Be aware that the key is only protected while the agent is running and the device is locked.

Hardware Security Modules (HSMs)

• For maximum security, consider using a hardware security module (e.g., YubiKey). These devices store your private key securely and require physical presence to authorize transactions.
• Some mobile SSH clients support integration with HSMs.

Regular Key Rotation

• Periodically rotate your SSH keys (create new ones and revoke the old ones). This limits the impact of a compromised key.
• Automate this process where possible.

Revoke Compromised Keys

• If you suspect a key has been compromised, immediately revoke it from all authorized servers.
• Remove the public key entry from the ~/.ssh/authorized_keys file on each server.

Device Security Best Practices

• Enable strong device lock (PIN, password, biometric).
• Keep your mobile operating system and apps up to date with the latest security patches.
• Install a reputable mobile security app.
• Be cautious about installing apps from untrusted sources.