Private Key Security Policies

Private key storage

Each organization has a unique set of security policies related to private key storage. For example, using Bravura Safe is one of the recommended products to use for private key storage. Leaving private keys on a UNIX system, although convenient, is not a secure practice.

The scenarios below for generating keys is meant to show a simple strategy to target against a UNIX system, but public/private keys are ideally suited to sharing across an organization. Considerations should be made on how best to implement a security policy for targeting multiple UNIX systems using a minimal set of public/private keypairs.

Generating different key formats and encryptions

You can also change the algorithm to shorten the private key. A private secure RSA key now suggests a bit length of 2048. For example:

ssh-keygen -m PEM -t rsa -b 2048 -f user_ppk.pem

You would then use the ssh-copy-id command to copy the key to the authorized_keys file, for example:

ssh-copy-id <userid>@<hostname>
ssh-copy-id -i <keyfile> <userid>@<hostname>

Discovering Key Formats, Size, and Encryption

In most cases, RSA is still the industry standard for public/private pairs; however, if you are unsure as to which encryption method was used, run the following command:

ssh-keygen -lf <keyfile>

This command will indicate in the output the key format that was used.

In this section:

Private Key Security Policies

Search results