GitHub + Krypton — your SSH private key never leaves your phone
Secure your repositories with Krypton Core for iOS and Android: generate a key pair that never leaves your phone, pair Krypton with your computer, and git push as you normally would.
Give it a try, get.krypt.co.
Your GitHub account is extremely valuable: it’s not only where you keep you and your company’s private source code, but it’s also where you protect you and your company’s public source code from unauthorized changes.
Any adversary that wants to compromise you or your customers only needs to compromise the right GitHub account.
GitHub and most developers understand the risk of repo compromise well. That’s why GitHub offers 2FA (two factor authentication) protection when logging into github.com. If you haven’t set that up, you can learn how to do so here. GitHub even supports U2F (universal 2nd factor) for web login.
However, when you push, pull, or clone code you use public key authentication because GitHub supports git
over SSH which is so much simpler and seems like it’s more secure. Since there is no U2F or 2FA support for pushing code over SSH, securing your code repositories means securely storing your SSH private key.
Don’t store your SSH private key in ~/.ssh/id_rsa
But what about your SSH private key, the counterpart to that public key in ~/.ssh/id_rsa.pub
you uploaded to GitHub a while ago?
When you interact with GitHub using SSH and public key authentication, you bypass web login and 2FA.
Once upon a time, you typed ssh-keygen
and left your private key somewhere on your computer, probably in ~/.ssh/id_rsa
. That means that you can just run cat ~/.ssh/id_rsa
and right before your eyes you’ll see your private key.
YES, it’s that easy to read the private key that you use to push and pull code for both your personal projects and your company’s code base.
And here’s the kicker: if you can read it in plain-text without root access, then every application you run on your machine (like Chrome, Spotify, and Slack) can read, use, and send off your SSH private key without you ever knowing. Even if your key is encrypted with a passphrase, every application can still use your private key.
Why should any application you run on your computer have access to your GitHub account?
If you aren’t convinced, read the in-depth version why you shouldn’t store your private key in
~/.ssh/id_rsa
.
Introducing Krypton — Add 2FA for SSH to your GitHub account today
Krypton provides the best of both worlds: the security of your private key never leaving your phone with the convenience of using git
and GitHub as you normally do, i.e: git clone
or git push
from your computer.
Get started in a few simple steps.
1. Download the Krypton phone app and generate your key pair
First, download the Krypton app by going to https://get.krypt.co on your iOS or Android device. Tap “Generate Key Pair” to create your Krypton public/private key pair. The private key never leaves your phone.
2. Install kr
& Pair Krypton with your local machine
Install the kr
command line utility:
$ curl https://krypt.co/kr | sh
Pair your computer with Krypton:
$ kr pair
Scan the QR code in the terminal using the Krypton app. Tap “Allow Camera Access” and scan the code to pair with your computer.
If everything works correctly, your computer will say “Paired succesfully” and print out your Krypton public key.
3. Use Krypton to SSH
To check that everything works, SSH into the public me.krypt.co server:
$ ssh me.krypt.co
you’ll get an SSH login request like this
4. Upload your Krypton public key to GitHub
kr
integrates with GitHub to make it easy to upload your public key to your GitHub account. Run the following command
$ kr github
Public key copied to clipboard.
Press ENTER to open your web browser to GitHub. Then click “Add SSH Key” and paste your public key.
Your public key is now copied on your clipboard. Press enter to navigate to your GitHub profile, and add the public key:
You’re all set! Try it out:
$ git clone git@github.com:kryptco/hello_krypton
Now that Krypton is set up and working, you can delete your other GitHub public keys.
Storing your SSH key with Krypton will always be completely free! Be on the lookout for more products from krypt.co to help teams better manage access to resources protected by SSH.
Where to go from here
- Head to get.krypt.co to download the (iOS or Android) app!
- Curious how Krypton works? Check out our system architecture blog post.
- Learn about Krypton’s security and threat model in Why Store an SSH Key With Krypton?.
- To learn more about KryptCo, visit us at krypt.co. Also feel free to reach out to us at hello@krypt.co!
- Looking for the source code? All of the code for Krypton iOS, Android, is published on GitHub.