In this blogpost I want to show you how easy it is to setup SSH and PGP key securily without even having them on your laptop. Instead we will have those keys on our mobile device. Yes, I hear you thinking…. Wutt, but, but, but, whaat!
No worries bear with me, I walk you through it an will even explain you some magic behind the Krypton commands which we are about to use, so you will have a fully transparant understanding on Krypton.
First of all you shouldn’t worry about the safety of your keys. Krypton is backed by Akamai and fully opensource. This goes for the browser extension as well for the Mobile apps or the Daemon. This means there is a strong company behind the tool as well you can review the sourcecode.
Furthermore your keys will only be stored on your mobile device and not somewhere in the cloud. Your most valueable belongings you usually prefer to keep close. In this case you keep the keys on your phone in your pocket. More close you can’t get it, right? OK! Let’s rock and roll!
To get started with Krypton we will first have to install the Daemon, browser plugin and mobile app.
Lets start by installing the browser plugin. Also install the mobile app for your device.
As of this time of writing kr currently supports MacOS (10.10+) and Linux (64 Bit) (Debian, RHEL, CentOS, Fedora with systemd). So Windows users unfortunately can’t use the SSH and PGP features of Krypton. However you could leverage the other non developer features.
For Windows users please scroll to the end. I have 2 alternative blogposts for you there, to explain how to setup SSH without 2FA. Also for Linux or Mac users that approach works, which is still an approach I’m using on some of my laptops.
To install the daemon we simply run following command in our terminal.
curl https://krypt.co/kr | sh
This will display a QR code in your terminal. Scan the QR code with the Krypton app on your mobile. This will pair the Krypton daemon
krd on your laptop with your mobile device.
Another thing that got configured now on your laptop is the following ssh config.
# Added by Krypton
Due to this the magic happens whenever you try to ssh into a server or when you are doing a git push or git pull.
Before we can do that we ofcourse first have to authorize our key. We can view our key using following command.
$ kr me
As you can see you have a bunch more commands available to copy the key using
kr copy or
kr github. Use either one of these to add your public key to your github profile or any git solution of your choice. Mostly this can be found on the page with your profile settings in the SSH section.
To authorize your key on a server simply run
ssh-copy-id marco@server. This will authorize your key after you allowed the access in your mobile phone.
Awesome right, now we have 2 factor SSH configured. A lot of words, but it took only a few clicks and commands.
Now lets have a look at setting up 2 factor PGP. In general setting up PGP normally takes quite some expertise to get the keys created and have a pgp agent running. Then next also to configure your Git to sign your commits. All kind of reasons and excuses for many of us to not use PGP to sign our commits. Well lets forgot about all of that and lets see how easy this is with Krypton.
Just run following command and approve the action on your mobile device and follow the interactive steps.
Now simply upload the public key to your online github or any git provider of choice to get your commits annotated as verified. In case you missed it we can also retrieve our pgp key at a later point in time using following command.
$ kr me pgp
So how this exactly work? You might have seen it in the output when setting up your PGP key. In our Git config file a setting was added that makes our commits being signed.
krgpg program will fetch an approval from your paired mobile app to be able to sign the commit using the private key which is only stored on your mobile device.
By clicking the browser extension you can also pair your mobile device for having some more integrations like 2FA for accessing facebook for example. Feel free to play arround with that yourself.
If you think after all of this, you don’t really like it you can simply run following to unpair and uninstall Krypton.
If you prefer to have a regular ssh setup then please consult following blogposts:
Thanks for reading my blog if you made it till the end. Please reshare with your colleagues and friends.