Blog.

Secure 2FA SSH and PGP using Krypton

Marco Franssen

Marco Franssen /

6 min read1110 words

Cover Image for Secure 2FA SSH and PGP using Krypton

In this blogpost I want to show you how easy it is to setup SSH and PGP key securily without even having them on your laptop. Instead we will have those keys on our mobile device. Yes, I hear you thinking…. Wutt, but, but, but, whaat!

No worries bear with me, I walk you through it an will even explain you some magic behind the Krypton commands which we are about to use, so you will have a fully transparant understanding on Krypton.

First of all you shouldn't worry about the safety of your keys. Krypton is backed by Akamai and fully opensource. This goes for the browser extension as well for the Mobile apps or the Daemon. This means there is a strong company behind the tool as well you can review the sourcecode.

Furthermore your keys will only be stored on your mobile device and not somewhere in the cloud. Your most valueable belongings you usually prefer to keep close. In this case you keep the keys on your phone in your pocket. More close you can't get it, right? OK! Let's rock and roll!

Install Krypton

To get started with Krypton we will first have to install the Daemon, browser plugin and mobile app.

Lets start by installing the browser plugin. Also install the mobile app for your device.

As of this time of writing kr currently supports MacOS (10.10+) and Linux (64 Bit) (Debian, RHEL, CentOS, Fedora with systemd). So Windows users unfortunately can't use the SSH and PGP features of Krypton. However you could leverage the other non developer features.

For Windows users please scroll to the end. I have 2 alternative blogposts for you there, to explain how to setup SSH without 2FA. Also for Linux or Mac users that approach works, which is still an approach I'm using on some of my laptops.

To install the daemon we simply run following command in our terminal.

curl https://krypt.co/kr | sh

SSH setup

kr pair

This will display a QR code in your terminal. Scan the QR code with the Krypton app on your mobile. This will pair the Krypton daemon krd on your laptop with your mobile device.

Another thing that got configured now on your laptop is the following ssh config.

~/.ssh/config
# Added by Krypton
Host *
    IdentityAgent ~/.kr/krd-agent.sock
    ProxyCommand /usr/local/bin/krssh %h %p
    IdentityFile ~/.ssh/id_krypton
    IdentityFile ~/.ssh/id_ed25519
    IdentityFile ~/.ssh/id_rsa
    IdentityFile ~/.ssh/id_ecdsa
    IdentityFile ~/.ssh/id_dsa%

Due to this the magic happens whenever you try to ssh into a server or when you are doing a git push or git pull.

Before we can do that we ofcourse first have to authorize our key. We can view our key using following command.

terminal
$ kr me
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCq/z0K0ZqozIfwyAI1fa2ddt3Lq3+I9GRrKVlsf57nfAwiCnemWhimTlxHJ2TsWKBkxYnq5lGNpD5G4NyOlDQLUHy1g1eHbPiXgmDIbaUZ0OSo/BwwK+tBb9Y51VvCeHilP1J3WMznfE+Uo9yJLT6NsRTV56C0jzH9K3ay3L1iUCiwKRw2uwRsFZo7owp6yzS/5ktDy9qJ9FU+AYA1a9AvF2tJ2wiAwSVnd4h6EZZP8btuSbDt4B3iF47XgUpJ38lX0C5BIhsuCrHxypCeurFAFk6p5KENoxfa7s58jug6sN9Pk+DYHUTntjWAjZYCJk/Kp96tsrRlNJD/lYWGt5NyaUz4Js3/maQQxyhYWa9X5i/g4LSGQpratPEJQySqVva364zcsMAtHWwpqq8ctqoAqaoU48u4y0XWt/PHHQStlrRXyR9uhPkW2dR4bhqYznA03uEBO+GcbnJiDCw18+l+R2+PkSg6omXdVyv/3slUP/HSrWKAAoTGaZMrxzBKFIvNn0lTtqVHeWZoqwIIUs5HY5SWy8ZMLLnIGxYcuYJpScgA8Nt/QSBptu/lndp9rL2bxdl/UDMbhefwVGjubCxL8r6/uVkmjHHc0moErEl/qFTdcRqoIGl7m2Vt7cYQ+JRoxtJjy9wSKW7pUMdgjguVgUTNOQSuMEFzhqB5ERX13Q== Marco'siPhone
 
Copy this key to your clipboard using "kr copy" or add it to a service like Github using "kr github". Type "kr" to see all available commands.

As you can see you have a bunch more commands available to copy the key using kr copy or kr github. Use either one of these to add your public key to your github profile or any git solution of your choice. Mostly this can be found on the page with your profile settings in the SSH section.

To authorize your key on a server simply run ssh-copy-id marco@server. This will authorize your key after you allowed the access in your mobile phone.

Awesome right, now we have 2 factor SSH configured. A lot of words, but it took only a few clicks and commands.

PGP setup

Now lets have a look at setting up 2 factor PGP. In general setting up PGP normally takes quite some expertise to get the keys created and have a pgp agent running. Then next also to configure your Git to sign your commits. All kind of reasons and excuses for many of us to not use PGP to sign our commits. Well lets forgot about all of that and lets see how easy this is with Krypton.

Just run following command and approve the action on your mobile device and follow the interactive steps.

kr codesign

Now simply upload the public key to your online github or any git provider of choice to get your commits annotated as verified. In case you missed it we can also retrieve our pgp key at a later point in time using following command.

terminal
$ kr me pgp
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: Created with Krypton
 
mQINBF3CuUEDEACq/z0K0ZqozIfwyAI1fa2ddt3Lq3+I9GRrKVlsf57nfAwiCnem
WhimTlxHJ2TsWKBkxYnq5lGNpD4G5NyOlDQLUHy1g1eHbPiXgmDIbaUZ0OSo/Bww
K+tBb9Y51VvCeHilP1J3WMznfE+Uo9yJLT6NsRTV56C0jzH9K3ay3L1iUCiwKRw2
uwRsFZo7owp6yzS/5ktDy9qJ9FU+AYA1a9AvF2tJ2wiAwSVnd4h6EZZP8btuSbDt
4B3iF47XgUpJ38lX0C5BIhsuCrHxupCeurFAFk6p5KENoxfa7s58jug6sN9Pk+DY
......
......
......
Eqhpz7w10X8TA9D3Dv+/8ZHkgc3Jfg5vrKu1F/zA+7jF7BqaT5oDlfLtE+Y1E3Wx
iMyAuoTUCvbmwKwnhTzrfxxPdzqJLeWF5OqfzIPoO4s4gqygugc4iFiZHf9C6N0l
Xu4b0viSvW/4w2OTVRd/hXVC+Bl6je2yt7wOTOh2AT7tWtNzyB7qLaZLhD+Fj+6i
c15tc2VRyPTn2dqKWZXSeg==
=pXN5
-----END PGP PUBLIC KEY BLOCK-----
 
Copy this key to your clipboard using kr copy pgp or add it to Github using kr github pgp. Type kr to see all available commands.

So how this exactly work? You might have seen it in the output when setting up your PGP key. In our Git config file a setting was added that makes our commits being signed.

~/.gitconfig
[commit]
    gpgSign = true
[gpg]
    program = /usr/local/bin/krgpg
[tag]
    forceSignAnnotated = true

The krgpg program will fetch an approval from your paired mobile app to be able to sign the commit using the private key which is only stored on your mobile device.

Browser setup

By clicking the browser extension you can also pair your mobile device for having some more integrations like 2FA for accessing facebook for example. Feel free to play arround with that yourself.

Wrapup

If you think after all of this, you don't really like it you can simply run following to unpair and uninstall Krypton.

terminal
kr unpair
kr uninstall

If you prefer to have a regular ssh setup then please consult following blogposts:

Thanks for reading my blog if you made it till the end. Please reshare with your colleagues and friends.

You have disabled cookies. To leave me a comment please allow cookies at functionality level.

More Stories

Cover Image for React Router and Nginx over HTTP/2

React Router and Nginx over HTTP/2

Marco Franssen

Marco Franssen /

In this blogpost I want to show you how you can easily get your React SPA app with clientside router work properly with your Nginx setup. I will also show you how to serve your React App over HTTP/2 and how you can leverage from http2 server pushes. To do so I will show you how to do that with the Nginx Docker image. When running your webapp using the development server you will in general not face any issues, however when running the static build on a production server you will most likely fac…

Cover Image for Signing Docker images using Docker Content Trust

Signing Docker images using Docker Content Trust

Marco Franssen

Marco Franssen /

In this blog I want to introduce you to the concept of signing Docker images. Signing your docker images will add some layer of trust to your images. This can guarantee a consumer of your image that this image is for sure published by you and hasn't been tampered with by others. You might already used PGP to sign your Git commits. In this blogpost I shown a nice way of setting PGP signing keys using Krypton that adds 2FA. In practice Docker image signing is the same concept. If this all sounds…

Cover Image for Howto Secure Shell easily from the terminal

Howto Secure Shell easily from the terminal

Marco Franssen

Marco Franssen /

I see many struggle when it comes to using Secure Shell in a comfortable way. Many are installing unneeded applications like Putty on Windows for example. Just like I did 4 years ago. Over the years I have been working a lot on servers where there was no GUI available and learned a lot doing that. I would like to share my tips and tricks so you can also be empowered by just sticking to the terminal on your OS or simply using Git Bash on Windows. What is SSH The SSH protocol (also referred to a…

Cover Image for Manage Go tools via Go modules

Manage Go tools via Go modules

Marco Franssen

Marco Franssen /

In this blog I will cover how I'm managing and versioning the tools my Go projects depend on. Go Modules are available since Go 1.11. Using Go Modules you can manage the dependencies for your project. You can compare it to NPM in Nodejs projects or Maven in Java project or Nuget in .NET projects. In general Go Modules are used to manage your compile time dependencies. However in my projects I also like to manage the tools required for Continuous Integration in my projects. To ensure all develop…