From fed39d53d1a4e0dcf0a1b17a0f0dc784ecb8a04c Mon Sep 17 00:00:00 2001 From: Toniiz Date: Sat, 9 May 2026 17:16:39 -0700 Subject: [PATCH] add: manus-ai secure ssh keys transfer markdown file --- .../markdown_docs/secure_ssh_key_transfer.md | 89 +++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 bash/manus-ai/markdown_docs/secure_ssh_key_transfer.md diff --git a/bash/manus-ai/markdown_docs/secure_ssh_key_transfer.md b/bash/manus-ai/markdown_docs/secure_ssh_key_transfer.md new file mode 100644 index 0000000..f71106d --- /dev/null +++ b/bash/manus-ai/markdown_docs/secure_ssh_key_transfer.md @@ -0,0 +1,89 @@ +# Securely Storing and Transferring SSH Private Keys + +## Introduction + +SSH private keys are critical for secure access to remote systems. Their compromise can lead to unauthorized access and significant security breaches. Therefore, securely storing and transferring these keys is paramount. This guide outlines best practices and methods for managing your SSH private keys when moving them between devices [1]. + +## Fundamental Security Principles + +Before discussing transfer methods, it's crucial to understand the underlying security principles for SSH private keys: + +* **Passphrase Protection**: Always protect your private key with a strong, unique passphrase. This encrypts the private key file, making it unreadable without the passphrase, even if the file itself is compromised [2]. +* **Strict Permissions**: Private key files should always have restrictive file permissions (e.g., `chmod 600 ~/.ssh/id_ed25519`). This ensures that only the owner can read or write the file. +* **Minimize Exposure**: The private key should never be shared unnecessarily or stored in insecure locations like public cloud storage without strong encryption. +* **Avoid Email/Insecure Channels**: Never transfer private keys via email, instant messaging, or other unencrypted communication channels. + +## Recommended Methods for Transferring Private Keys + +When transferring a private key to a new machine, the goal is to do so with the highest level of security. Here are the recommended methods: + +### 1. Encrypted USB Drive + +Using an encrypted USB drive is one of the most straightforward and secure methods for physical transfer. This method minimizes network exposure. + +**Steps:** +1. **Encrypt the USB Drive**: Before copying, ensure your USB drive is encrypted. Tools like LUKS (Linux Unified Key Setup) on Linux, BitLocker on Windows, or FileVault on macOS can be used for full-disk encryption. +2. **Copy the Private Key**: Copy the private key file (e.g., `id_ed25519`) from your `~/.ssh/` directory to the encrypted USB drive. +3. **Transfer to New Machine**: Plug the encrypted USB drive into the new machine, unlock it, and copy the private key file to the `~/.ssh/` directory on the new machine. +4. **Set Permissions**: Immediately set the correct permissions for the private key file: `chmod 600 ~/.ssh/id_ed25519`. +5. **Remove from USB**: Once transferred and verified, securely delete the private key from the USB drive. + +### 2. Secure Copy Protocol (SCP) or SFTP + +If physical transfer isn't feasible, using SCP or SFTP over an existing SSH connection is a secure network-based method. This assumes you already have SSH access to the new machine (perhaps with a temporary password or a different key). + +**Steps:** +1. **Establish SSH Connection**: Ensure you can SSH into the new machine from your old machine. +2. **Copy the Private Key**: Use `scp` to securely copy the private key file. For example: + ```bash + scp ~/.ssh/id_ed25519 user@new_machine:~/.ssh/id_ed25519 + ``` + You will be prompted for the password of `user@new_machine` (or the passphrase for the key used to authenticate). +3. **Set Permissions**: After copying, SSH into the new machine and set the correct permissions: + ```bash + ssh user@new_machine "chmod 600 ~/.ssh/id_ed25519" + ``` + +### 3. Encrypted Archive via Cloud Storage (Least Recommended) + +While generally discouraged due to increased exposure, if cloud storage is the only option, the private key **must** be protected within an encrypted archive. + +**Steps:** +1. **Encrypt the Private Key**: Use a strong encryption tool like `gpg` (GNU Privacy Guard) to encrypt your private key file. For example: + ```bash + gpg -c ~/.ssh/id_ed25519 + ``` + This will create `id_ed25519.gpg` and prompt you for a strong passphrase. +2. **Upload to Cloud Storage**: Upload the encrypted `.gpg` file to your chosen cloud storage service. +3. **Download and Decrypt**: On the new machine, download the `.gpg` file and decrypt it using `gpg`: + ```bash + gpg id_ed25519.gpg + ``` + You will need to enter the passphrase used during encryption. +4. **Move and Set Permissions**: Move the decrypted private key to `~/.ssh/` and set permissions: `chmod 600 ~/.ssh/id_ed25519`. +5. **Securely Delete**: Delete the encrypted and decrypted files from temporary locations and cloud storage. + +## What Not to Do + +* **Do not copy the entire `~/.ssh` directory**: While it might seem convenient, it's generally not best practice. It's better to generate new keys on the new machine and only transfer specific private keys if absolutely necessary [3]. +* **Do not use unencrypted channels**: Avoid email, public chat, or unencrypted file shares. +* **Do not store private keys in public repositories**: Never commit private keys to version control systems like Git, even in private repositories. + +## Best Practices for SSH Key Management + +* **Use an SSH Agent**: An SSH agent can hold your decrypted private keys in memory, so you only need to enter your passphrase once per session, enhancing convenience without sacrificing security [4]. +* **Regular Key Rotation**: Periodically generate new SSH key pairs and revoke old ones, especially for critical systems. +* **Separate Keys for Different Purposes**: Consider using different SSH key pairs for different services or environments (e.g., one for GitHub, another for production servers). +* **Hardware Security Modules (HSMs) or YubiKeys**: For the highest level of security, consider storing private keys on hardware security modules or FIDO2-compliant security keys like YubiKeys. These devices store the private key securely and perform cryptographic operations on the device itself, meaning the private key never leaves the hardware [5]. + +## Conclusion + +Securely managing and transferring SSH private keys is a critical aspect of maintaining robust cybersecurity. By adhering to strong passphrase protection, strict file permissions, and utilizing secure transfer methods like encrypted USB drives or SCP, you can significantly mitigate the risks associated with private key exposure. Always prioritize security and minimize the attack surface when handling these sensitive credentials. + +## References + +[1] [14 SSH Key Management Best Practices You Need to Know](https://www.thesslstore.com/blog/14-ssh-key-management-best-practices-you-need-to-know/) +[2] [How Do You Manage Your SSH Private Keys?](https://www.reddit.com/r/linuxquestions/comments/1coiui3/how_do_you_manage_your_ssh_private_keys/) +[3] [Copy ssh keys to a new computer - Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/739726/copy-ssh-keys-to-a-new-computer) +[4] [SSH Key Best Practices for 2025 - Using ed25519, key ...](https://www.brandonchecketts.com/archives/ssh-ed25519-key-best-practices-for-2025) +[5] [SSH Key Management: Best Practices for Enterprise ...](https://www.jumpserver.com/blog/ssh-key-management-best-practices)