#keycrypt
keycrypt is a wrapper for generating SSH Keys and then encrypting them with OpenSSL. keycrypt offers other features like copying the pubkey from your local machine to a remote host. This can even be done as part of the create step!
####Current Features
- SSH Key Creation
- SSH Key Encryption with OpenSSL
- Copying PubKey to Remote Server (similar to ssh-copy-id)
####Future Features
- Improved PubKey Copying
- Scanning for unencrypted keys and prompting for encryption
###Why would I need this?
The default encryption that ships with SSH isn't the most secure, it comprises of the following:
The header tells us the encryption algorithm that was used: AES-128 in CBC mode. The 128-bit hex string in the DEK-Info header is the initialization vector (IV) for the cipher. This is pretty standard stuff; all common crypto libraries can handle it.
Martin Kleppmann has show below that there are two primary weaknesses in the way SSH encrypts it's keys:
- The digest algorithm is hard-coded to be MD5, which means that without changing the format, it’s not possible to upgrade to another hash function (e.g. SHA-1). This could be a problem if MD5 turns out not to be good enough.
- The hash function is only applied once — there is no stretching. This is a problem because MD5 and AES are both fast to compute, and thus a short passphrase is quite easy to break with brute force.
From this it was devised that we could get a higher level of security from using OpenSSL. As such I wanted to automate the process of creating an SSH key and then encrypting it with OpenSSL, and keycrypt was born.
###Credits
This idea was fostered from an article written by Martin Kleppmann