Secure Socket Shell (SSH), also called Secure Shell, is a special network protocol leveraging public-key cryptography to enable authorized users to remotely access a computer or other device via access credentials called SSH keys. Because they are used to access sensitive resources and perform critical, highly privileged activities, it’s vital to properly manage SSH keys as you would other sensitive credentials.
While SSH keys are standard, and more frequently used, in Unix and Linux environments, they are also used in Windows systems.
Open your console and write:
ssh-keygen -t rsa -b 4096 -a 100 -f /home/debian/.ssh/<folder>/id_rsa
But before that you need to create folder to organize your keys inside .ssh folder. Just go in cd .ssh and mkdir .test folder and change permission to chmod 700 .test.
We are using keygen which is used as OpenSSH authentication key utility. Now let's brake what we did:
-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
Specifies the type of key to create. The possible values are “dsa”, “ecdsa”, “ecdsa-sk”, “ed25519”, “ed25519-sk”, or “rsa”.
Specifies the number of bits in the key to create. For RSA keys, the minimum size is 1024 bits and the default is 3072 bits. Generally, 3072 bits is considered sufficient. DSA keys must be exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys, the -b flag determines the key length by selecting from one of three elliptic curve sizes: 256, 384 or 521 bits. Attempting to use bit lengths other than these three values for ECDSA keys will fail. ECDSA-SK, Ed25519 and Ed25519-SK keys have a fixed length and the -b flag will be ignored.
When saving a private key, this option specifies the number of KDF (key derivation function) rounds used. Higher numbers result in slower passphrase verification and increased resistance to brute-force password cracking (should the keys be stolen). The default is 16 rounds.
Specifies the filename of the key file.
Next step is to copy your public SSH key to the server:
sudo ssh-copy-id -i '/home/debian/.ssh/.<folder>/id_rsa.pub' email@example.com
After you successfully copied public key on your server, it's time to try login with it.
ssh -i '/home/debian/.ssh/.<folder>/id_rsa' firstname.lastname@example.org -v
Verify if your key is in authorized keys:
Open file sshd_config and scroll until you see the line that starts with “#PasswordAuthentication yes.” Remove the hash
# from the start of the line, change the “yes” to “no”, and save the file.
Don't forget to also uncomment #PubkeyAuthentication, and change to true.
Restart the SSH daemon:
sudo systemctl restart sshd
Don't forget to backup your SSH keys, as you might lose them. First you can backup them just by using tar:
tar -cf ssh-keys.tar ~/.ssh/.alvosec
After that you can also encrypt them by using symmetric encryption:
openssl aes-256-cbc -salt -pbkdf2 -in ssh-keys.tar -out ssh-keys.tar.enc
To decrypt them, run:
openssl aes-256-cbc -d -pbkdf2 -in ssh-keys.tar.enc -out ssh-keys.tar
Now you also need to backup your password for encrypted archive. : )