Signs of Triviality

Opinions, mostly my own, on the importance of being and other things.
[homepage] [index] [jschauma@netmeister.org] [@jschauma] [RSS]

Sharing Secrets Using SSH Keys

I have a much longer blog posting pending on the topic of how people cooperating within an organization but possibly across geographical distances and/or timezones can best share secrets, but this just came up:

Unfortunately, even technical people are not in the habit of using PGP, but as luck would have it, that is not even necessary to be able to share secrets -- i.e. encrypt and decrypt files for specific recipients -- since the same people already happily use public-key cryptography on a regular basis and do possess a number of suitable key pairs: their SSH keys!

So, in brief, if you have to share a secret with people who either can send you a public SSH key, or you have access to a shared system on which they have a public key installed, this is how you can safely exchange data with them. (Following current events, the roles of "Alice" and "Bob" will be played by "David" and "Paula".)

First, convert the public key in question from the SSH format into PKCS#8 format:

david@pentagon$ ssh-keygen -f paula.pub -e -m PKCS8 > paula.pem 

Next, encrypt your naughty little message:

david@pentagon$ openssl rsautl -pubin -inkey paula.pem -encrypt -pkcs -in naughty -out cipher

Now, store the contents of 'cipher' in a Gmail draft. Or, perhaps, find a better way to get the data to Bob, I mean Paula. Either way, she can now decrypt the data using the private key of the ssh key pair:

paula@vacation$ openssl rsautl -inkey k -decrypt -in cipher -out naughty

And that is all. (Now the question of how well Paula protects her private ssh key, and whether or not she stores it on the same shared system that David got the pubkey from is a different story altogether.)

November 19, 2012


[Sandy and I] [Index] [Using an IPv6 tunnelbroker on NetBSD/EC2]