Tuesday, August 8, 2017

Kryptonite: Protect Your SSH Private Key

Kryptonite (via Steven Frank):

On iOS, Kryptonite generates a 4096-bit RSA key pair using the Apple iOS Security framework or optionally an Ed25519 key pair using libsodium. Kryptonite stores the private key in the iOS Keychain with accessibility level “kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly”.


The role of a private key in an SSH login is to sign the SSH handshake. When a signature is required, your workstation calls out to Kryptonite running on the paired phone with the data that must be signed. If authorized, Kryptonite performs the signature using the private key and returns only the signature to the workstation.


Upon install, Kryptonite adds a few lines to your SSH configuration (at ~/.ssh/config) that cause SSH to offer your Kryptonite key. Your other keys will still be presented and your Kryptonite key will only be used if it has access to the service you are connecting to.

The potential benefit is that your private key doesn’t have to be stored at a known path on your Mac, where other apps can access it. Unfortunately, due to iOS limitations, there’s no easy way to ensure that Kryptonite isn’t sending your private key somewhere.

Previously: HandBrake Proton Trojan.

1 Comment RSS · Twitter

At Panic we're using Kryptonite and Yubikeys. Software devs use Kryptonite mostly (unless they want a Yubikey) and people with server access must use a Yubikey. The U2F support in the Yubikey 4 is a nice perq for carrying one around.

Leave a Comment