Securing Private Keys on a Linux Sysadmin Workstation

In this last article of our ongoing Linux workstation security series for sysadmins, we’ll lay out our recommendations for how to secure your private keys. If you’re interested in more security tips and a list of resources for more reading (to go further down the rabbit hole of Linux security), I recommend that you download our free security guide for sysadmins.

Personal encryption keys, including SSH and PGP private keys, are going to be the most prized items on your Linux workstation. Attackers will be most interested in obtaining them, as that would allow them to further attack your infrastructure or impersonate you to other admins. Linux sysadmins should take extra steps to ensure that your private keys are well protected against theft:

  • Strong passphrases are used to protect private keys (Essential)

  • PGP Master key is stored on removable storage (Nice-to-have)

  • Auth, Sign and Encrypt Subkeys are stored on a smartcard device (Nice)

  • SSH is configured to use PGP Auth key as ssh private key (Nice)

Private key security best practices

The best way to prevent private key theft is to use a smartcard to store your encryption private keys and never copy them onto the workstation. There are several manufacturers that offer OpenPGP capable devices:

  • Kernel Concepts, where you can purchase both the OpenPGP compatible smartcards and the USB readers, should you need one.

  • Yubikey, which offers OpenPGP smartcard functionality in addition to many other cool features (U2F, PIV, HOTP, etc).

  • NitroKey, which is based on open-source software and hardware

It is also important to make sure that the master PGP key is not stored on the main workstation, and only subkeys are used. The master key will only be needed when signing someone else’s keys or creating new subkeys — operations which do not happen very frequently. You may follow the Debian’s subkeys guide to learn how to move your master key to removable storage and how to create subkeys.

You should then configure your gnupg agent to act as ssh agent and use the smartcard-based PGP Auth key to act as your ssh private key. We publish a detailed guide on how to do that using either a smartcard reader or a Yubikey NEO.

If you are not willing to go that far, at least make sure you have a strong passphrase on both your PGP private key and your SSH private key, which will make it harder for attackers to steal and use them.

Read more:

Part 8: Best Practices for 2-Factor Authentication and Password Creation on Linux

Part 1: 3 Security Features to Consider When Choosing a Linux Workstation


Leave a Reply