No ssh keys


encrypt

For sending/sharing a “secret” without knowing the receiver keys you could use the option -u new, example:

echo "secret" | ssh-vault -u new create

Or:

ssh-vault -u new create

The new key will create new pair of ssh keys (prublic/priate) using the service https://ssh-keys.online/new.

You could create and user your own private server that generates ssh keys just need to pass the url to the -u option, for example:

echo "secret" | ssh-vault -u https://your-service/user-keys create

https://your-service/user-keys should return the ssh-rsa key to use

decrypt

To decrypt using a remote key this can be used:

ssh-vault -k https://your-service/private-key view vault.ssh

In this case the option -k accepts and URL in where it will try to fetch a private key, if you are creating a service do it in a way that replies a key in this way:

-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQDnPMfrANNnnZcMrclmlrKqhdNE47V5IDrAg6IU9OXrG4EP60pg
...
s3LoekK6//PwnE48oZ6Wbm3sG+pPU37UMishS8owaw==
-----END RSA PRIVATE KEY-----

If when encrypting you are using the option -u new for example:

$ echo "secret" | ssh-vault -u new create
SSH-VAULT;AES256;21:88:f0:73:a0:5d:43:4d:e4:16:1a:e6:80:21:e7:80
JLJ3shvUvNHNbxquh7cKJcqHaq/pXhbv2wD7s35Lc46vex2YygYoBnGcgGFcgEM4
caCy4CPnTGaN/qxfzPW8mzpYuj2ALYLu8JOnENVjemsBJbzzxAWGPJXXBZmWyNli
XCnPXuSA/B7JbY2/DrcWE6W5PE1kmVxfsO3nP/JtMIM=;G6s1hUCA8yqFKE3aug0
bHxoi2OFx8ThBYvXU/39KYViv42Y=

For decrypting you need to use the fingerprint when using option -k, example:

ssh-vault -k https://ssh-keys.online/21:88:f0:73:a0:5d:43:4d:e4:16:1a:e6:80:21:e7:80 view /path/to/vault.ssh

Notice the first line of the vault:

SSH-VAULT;AES256;21:88:f0:73:a0:5d:43:4d:e4:16:1a:e6:80:21:e7:80

From there you can extract the fingerprint and use it to retrieve the public key.

The https://ssh-keys.online service will provide the private key for the specified fingerprint and use it for decrypt the vault.

In the same way a custom private server could be created.

security concerns

It is important to know and understand that by using any 3rd party service for generating the public/private keys breaks the concept of privacy and security if possible they should be avoided.

comments powered by Disqus