Passing SSH Keys securely


#1

Hi, I am using an SSH key inside a service to connect to a server.
Right now, I am saving the file in the Git repository. Even though the repository is currently private, I am uneasy about the file lying there. Is there some better way to do this?

Perhaps passing the key through a resin environment variable?


#3

Hi @ionita, I tend to use env variables for these kind of things. You could implement that by adding the content of the SSH key in your application’s (or device’s) environmental variables:

And then either use that directly in your script (in NodeJS that would be process.env.SSH_KEY for instance), or by creating the ssh key file from your startup script (often called start.sh or entry.sh) by doing something like:

if [ ! -f /root/.ssh/id_rsa ] ; then
	echo $SSH_KEY > /root/.ssh/id_rsa 
fi
``

Hope that helps!

#4

Hi @chrischabot, thanks for the suggestion and explanation! This would clearly work.

Over here we haven’t made up our minds what to use yet. We came up with two other options.

We were also considering writing the key on the resin OS image before flashing it on the devices’ SD cards. Afterwards this should be accessible from within the container (perhaps with dbus). If this works, I think it would be more secure but a bit of a hack.

Yet another option would be generating a different pair of ssh keys with the server on each device. Sending the public key to the server would then be prone to man-in-the-middle attacks, I guess.


#6

@ionita that would certainly work – You can even preload the application container to the image at that time to skip the initial download, we’ve documented that at: https://resin.io/blog/advanced-device-provisioning-workflow-for-large-fleets-preloading-and-pre-provisioning/

Let us know what solution you end up with or what else we can do to help!