🎉 Announcing new lower pricing — up to 40% lower costs for Cloud Servers and Cloud SQL! Read more →

Sharing secrets with SSH keys

As part of our managed ops services we often need to share sensitive information such as passwords and keys with customers. GPG is commonly used for this kind of thing, but if our customers aren’t already used to PGP it’s a bit of a pain - particularly with all the key swapping, signing and trust settings you often need to manage.

However, most of our customers already have an SSH keypair that they use to access their Brightbox servers and if we’re managing their servers we already know their public keys. Can we use a customer’s SSH keys to encrypt messages for them? Yes we can! And a tool called age makes this easy - much eaiser than GPG.

First, install age. It’s available natively for most modern Linux distros, BSDs, Windows and macOS so it should only take a minute.

Then to encrypt a message with an SSH public key run age with the --recipients-file argument (and use CTRL+D to finish the message of course):

$ age --recipients-file ~/keys/customer-ssh-key.pub --encrypt --armor

Hello world

-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHlMSFZYQSBjVkZC
YlRKcG1JcG8xTkFjb2pzOHdEVUoyaWFhWTNTaE1tZDNhd0VhQkQwCm1VMkFzd01H
QWYxREhlQXF6TTJGU3ZrMGhMTDFKb2ZhU2JTeUhLdnlhcEEKLS0tIDM5UWVDUWJz
WTZYZkZpTTVQcWE0UkM4aTRMNnIrUzJUMHVKVFVRWGorVXMKN4uVA5nSZP0uAWlH
xjHVbrO42sNUe3jiI+rHKP+epsWvtRl5rMlVfTVxDzUc
-----END AGE ENCRYPTED FILE-----

You can then paste the output in an email or a text chat session.

And then for them to decrypt the message with their SSH private key:

$ age --decrypt -i .ssh/my-ssh-key.key

-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHlMSFZYQSBjVkZC
YlRKcG1JcG8xTkFjb2pzOHdEVUoyaWFhWTNTaE1tZDNhd0VhQkQwCm1VMkFzd01H
QWYxREhlQXF6TTJGU3ZrMGhMTDFKb2ZhU2JTeUhLdnlhcEEKLS0tIDM5UWVDUWJz
WTZYZkZpTTVQcWE0UkM4aTRMNnIrUzJUMHVKVFVRWGorVXMKN4uVA5nSZP0uAWlH
xjHVbrO42sNUe3jiI+rHKP+epsWvtRl5rMlVfTVxDzUc
-----END AGE ENCRYPTED FILE-----

Hello world

Of course age isn’t limited to short text messages and will encrypt large files too, just don’t use the --armor option it’ll generate a more compact binary output.

Integration with GitHub

All GitHub users have an SSH key and if you know somebody’s GitHub username you can encrypt things for them with age:

$ curl https://github.com/johnl.keys | age --recipients-file - --armor message.txt

Age has its own keys too

If you prefer to use separate keys, age does have its own key format and keys can be generated with the age-keygen tool. age keys are pretty neat and easy to share:

$ age-keygen 

# created: 2024-09-18T10:53:06+01:00
# public key: age1texszzr0vlrfvjug5gd4dgkla39j2swchvrgdmd8qg50wafnsqqs8ygqhp
AGE-SECRET-KEY-1YJ23M3V0LH2AXGHHNTE8GLPWAAP3HEFHT9Y6LYQRCWDP8VHXWC4Q3DJ5A6

Passwords instead of keys

You can also just forego the use of public and private keys and use symmetric key encryption and choose a password when encrypting. If you don’t provide one, age will randomly generate a password that you can easily read out to someone in-person or over the phone:

$ age --encrypt --passphrase --armor

Enter passphrase (leave empty to autogenerate a secure one):

age: using autogenerated passphrase "object-feature-make-rather-add-coil-project-february-easily-goose"

Hello World

-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNjcnlwdCByektjYXdid0M4MytRUmI1
U3lJYm13IDE4Ci83d1RqRUJ3S2Q1TkZpNndFZUhRVUVGcERpNUxCR3V4dStVOTMv
TC9xREkKLS0tIE44TG5tUm9SWXd5Z05jUDlVMXBJQjl5L29VcXlvOFJlai9xU0pV
Q1FVUjgKeSW+1umEBcBn8BZ983gdf3nG4yuzuJz2Vt6VluIEIbFBiDI2aDVEu8uW
jC+C
-----END AGE ENCRYPTED FILE-----

And you can use the passhrase encryption to secure your age keys on-disk - age recognises this and will prompt for the passphrase.

Managing secrets in git repositories

age can be used to encrypt files in git repositories using a tool called SOPS. We use this for encrypting secrets in OpenTofu/Terraform and Kubernetes manifests. We’ll go into more detail on how to use that in a future blog post.

Limitations

SSH keys are usually used only for authentication, so people may not treat them quite the same as a real encryption key - they may be more likely to share them, or otherwise treat them as revokable.

And SSH keys on hardware such as YubiKeys can’t be used to decrypt files.

But otherwise, using SSH keys with age is a very convenient way of occasionally sharing secrets.

Get started with Brightbox Sign up takes just two minutes...