GitHub + Krypton — your SSH private key never leaves your phone

Secure your repositories with Krypton Core for iOS and Android: generate a key pair that never leaves your phone, pair Krypton with your computer, and git push as you normally would.

Alex Grinman
krypt.co/blog
4 min readApr 19, 2017

--

Give it a try, get.krypt.co.

Your GitHub account is extremely valuable: it’s not only where you keep you and your company’s private source code, but it’s also where you protect you and your company’s public source code from unauthorized changes.

Any adversary that wants to compromise you or your customers only needs to compromise the right GitHub account.

GitHub and most developers understand the risk of repo compromise well. That’s why GitHub offers 2FA (two factor authentication) protection when logging into github.com. If you haven’t set that up, you can learn how to do so here. GitHub even supports U2F (universal 2nd factor) for web login.

However, when you push, pull, or clone code you use public key authentication because GitHub supports git over SSH which is so much simpler and seems like it’s more secure. Since there is no U2F or 2FA support for pushing code over SSH, securing your code repositories means securely storing your SSH private key.

Don’t store your SSH private key in ~/.ssh/id_rsa

But what about your SSH private key, the counterpart to that public key in ~/.ssh/id_rsa.pub you uploaded to GitHub a while ago?

When you interact with GitHub using SSH and public key authentication, you bypass web login and 2FA.

Once upon a time, you typed ssh-keygen and left your private key somewhere on your computer, probably in ~/.ssh/id_rsa. That means that you can just run cat ~/.ssh/id_rsa and right before your eyes you’ll see your private key.

YES, it’s that easy to read the private key that you use to push and pull code for both your personal projects and your company’s code base.

And here’s the kicker: if you can read it in plain-text without root access, then every application you run on your machine (like Chrome, Spotify, and Slack) can read, use, and send off your SSH private key without you ever knowing. Even if your key is encrypted with a passphrase, every application can still use your private key.

Why should any application you run on your computer have access to your GitHub account?

If you aren’t convinced, read the in-depth version why you shouldn’t store your private key in ~/.ssh/id_rsa.

Introducing Krypton — Add 2FA for SSH to your GitHub account today

Krypton provides the best of both worlds: the security of your private key never leaving your phone with the convenience of using git and GitHub as you normally do, i.e: git clone or git push from your computer.

Get started in a few simple steps.

1. Download the Krypton phone app and generate your key pair

First, download the Krypton app by going to https://get.krypt.co on your iOS or Android device. Tap “Generate Key Pair” to create your Krypton public/private key pair. The private key never leaves your phone.

2. Install kr & Pair Krypton with your local machine

Install the kr command line utility:

Pair your computer with Krypton:

If the QR code is cutoff, make your terminal window bigger, or make the font-size smaller (macOS: ⌘).

Scan the QR code in the terminal using the Krypton app. Tap “Allow Camera Access” and scan the code to pair with your computer.

If everything works correctly, your computer will say “Paired succesfully” and print out your Krypton public key.

3. Use Krypton to SSH

To check that everything works, SSH into the public me.krypt.co server:

you’ll get an SSH login request like this

SSH Login Request

4. Upload your Krypton public key to GitHub

kr integrates with GitHub to make it easy to upload your public key to your GitHub account. Run the following command

Your public key is now copied on your clipboard. Press enter to navigate to your GitHub profile, and add the public key:

Upload your public key to GitHub

You’re all set! Try it out:

Now that Krypton is set up and working, you can delete your other GitHub public keys.

Storing your SSH key with Krypton will always be completely free! Be on the lookout for more products from krypt.co to help teams better manage access to resources protected by SSH.

Where to go from here

--

--

Alex Grinman
krypt.co/blog

Co-founder @ krypt.co. Math & CS at MIT. Security & Crypto. iOS Developer.