Introducing Kryptonite — the end of id_rsa

the new home for your SSH private key on your phone

Today we’re introducing Kryptonite — the end of storing your SSH private key in ~/.ssh/id_rsa. Kryptonite provides the best of both worlds: the security of having your private key never leave your phone with the convenience of using git and ssh as you normally do on your computer: git push or ssh root@server.

Kryptonite — the new home for your SSH private key on your phone

Why shouldn’t you store your key in ~/.ssh/id_rsa?

Because it’s that easy to read the private key that you use to push code, log in to production databases, and transfer files between EC2 instances. And if you can read it in plain-text without root access, then every application you run on your machine is able to read, use, and send off your SSH private key without you ever knowing. Even if your key is encrypted with a passphrase, every application can still use your private key.

Chrome, Spotify, and Slack don’t need SSH — why should they have access to your private key?

The only way to isolate an SSH private key from other applications is to store it externally. Until recently, the easiest way to move a key out of ~/.ssh was to buy a USB Hardware Security Module (a dongle that is able to generate public/private keys), plug it into your laptop, and push the blinking light every time you SSH. But purchasing and carrying around another piece of hardware just to store an SSH key is unnecessary when everyone already carries a smartphone everywhere they go.

Introducing Kryptonite

We’re excited to introduce Kryptonite — the end of id_rsa.

The Kryptonite app generates an SSH key and pairs with one or more computers. Paired computers may request operations using the key such that the private key never leaves the phone.

Every time SSH requests a private key operation, Kryptonite pushes a local notification for your approval showing the user and host being logged in to:

Kryptonite Login Request Notification

If allowed, Kryptonite signs the login request using the private key and sends this signature back to your computer — the private key never leaves the phone. With the signature, your computer completes the SSH authentication protocol with the server.

Kryptonite also stores a complete audit log for each paired computer containing every SSH login the private key was used for. Login requests may be allowed once, for 1 hour, or always. Even when a request is automatically approved, a local notification is pushed to alert you and the request is stored in the log for later auditing.

Kryptonite Approval Policy and Audit Log

Storing your SSH key with Kryptonite will always be completely free! Be on the lookout for more products from krypt.co to help teams better manage access to resources protected by SSH.

Where to go from here

• Head to get.krypt.co to download the (iOS or Android) app!
• Curious how exactly Kryptonite works? Check out our system architecture blog post.
• Learn about Kryptonite’s security and threat model in Why Store an SSH Key With Kryptonite?.
• To learn more about KryptCo, visit us at krypt.co. Also feel free to reach out to us at hello@krypt.co!
• Looking for the source code? All of the code for Kryptonite is published on GitHub.