Citadel / Controls / SSHKeys

SSHKeys Control

What does this control check?

The SSHKeys control verifies that all SSH private keys on your computer are encrypted with a passphrase. SSH keys are commonly used by developers and system administrators to authenticate to servers, push code to repositories, and access remote systems.

Important: An unencrypted SSH private key is like leaving your house key under the doormat. Anyone who gains access to your computer (through theft, malware, or even a backup) can use your SSH key to impersonate you. They can access any server, code repository, or system that trusts that key - without needing to know any passwords. Adding a passphrase encrypts the key, so even if someone steals the file, they cannot use it without the passphrase.

Why is this important?

🔑

Access Control

SSH keys often grant access to critical systems, production servers, and code repositories. Unencrypted keys allow anyone who steals them to impersonate you on these systems.

💼

Code Repository Security

Stolen SSH keys can be used to push malicious code to your repositories, steal proprietary source code, or access sensitive company information stored in version control.

🚨

Audit Trail

When someone uses your stolen SSH key, all actions appear to come from you, making it difficult to detect the breach and potentially implicating you in malicious activities.

How to fix this

Encrypting SSH Keys on Windows

Note: You'll need to regenerate your SSH keys with a passphrase. This is the safest approach.

Step 1: Back up your current keys

  1. Open File Explorer
  2. Navigate to C:\Users\YourUsername\.ssh (replace YourUsername with your actual username)
  3. Copy the entire .ssh folder to a safe location as a backup

Step 2: Generate new encrypted SSH keys

  1. Open PowerShell or Command Prompt
  2. Type: ssh-keygen -t ed25519 -C "your.email@example.com"
  3. Press Enter to accept the default file location
  4. When prompted for a passphrase, enter a strong passphrase (don't leave it empty!)
  5. Re-enter the same passphrase to confirm
  6. Your new encrypted key pair is now created

Step 3: Update your keys on remote services

  1. Display your new public key by typing: type %USERPROFILE%\.ssh\id_ed25519.pub
  2. Copy the entire output (starts with "ssh-ed25519")
  3. Add this public key to your services:
    • GitHub: Settings → SSH and GPG keys → New SSH key
    • GitLab: Preferences → SSH Keys → Add new key
    • Servers: Add to ~/.ssh/authorized_keys on each server
⚠️ Important notes:
  • Use a strong, unique passphrase - this protects your key if it's stolen
  • Store your passphrase in a password manager
  • You'll need to enter the passphrase the first time you use the key after each restart
  • Don't delete your old keys until you've verified the new ones work
  • Update the public key on all services that use your SSH key

Encrypting SSH Keys on macOS

Note: You'll need to regenerate your SSH keys with a passphrase. This is the safest approach.

Step 1: Back up your current keys

  1. Open Finder
  2. Press Command + Shift + G to open "Go to Folder"
  3. Type ~/.ssh and press Enter
  4. Copy the entire .ssh folder to a safe location as a backup

Step 2: Generate new encrypted SSH keys

  1. Open Terminal (in Applications → Utilities)
  2. Type: ssh-keygen -t ed25519 -C "your.email@example.com"
  3. Press Enter to accept the default file location
  4. When prompted for a passphrase, enter a strong passphrase (don't leave it empty!)
  5. Re-enter the same passphrase to confirm
  6. Your new encrypted key pair is now created

Step 3: Configure macOS Keychain to remember your passphrase

  1. In Terminal, type: ssh-add --apple-use-keychain ~/.ssh/id_ed25519
  2. Enter your passphrase when prompted
  3. macOS will now remember your passphrase in the Keychain

Step 4: Update your keys on remote services

  1. Display your new public key by typing: cat ~/.ssh/id_ed25519.pub
  2. Copy the entire output (starts with "ssh-ed25519")
  3. Add this public key to your services:
    • GitHub: Settings → SSH and GPG keys → New SSH key
    • GitLab: Preferences → SSH Keys → Add new key
    • Servers: Add to ~/.ssh/authorized_keys on each server
⚠️ Important notes:
  • Use a strong, unique passphrase - this protects your key if it's stolen
  • Store your passphrase in a password manager
  • The macOS Keychain will remember your passphrase so you don't need to enter it repeatedly
  • Don't delete your old keys until you've verified the new ones work
  • Update the public key on all services that use your SSH key

Verifying the fix

After generating encrypted SSH keys, Citadel will automatically verify this control during its next check.

To verify your SSH key is encrypted:

  1. Open PowerShell or Command Prompt
  2. Type: ssh-keygen -y -f %USERPROFILE%\.ssh\id_ed25519
  3. If the key is encrypted, you'll be prompted for the passphrase
  4. If it displays the public key without asking for a passphrase, the key is not encrypted

To verify your SSH key is encrypted:

  1. Open Terminal
  2. Type: ssh-keygen -y -f ~/.ssh/id_ed25519
  3. If the key is encrypted, you'll be prompted for the passphrase
  4. If it displays the public key without asking for a passphrase, the key is not encrypted

Note: If you've added the key to Keychain, macOS might auto-fill the passphrase. This is normal and secure.