Secure 2FA SSH and PGP using Krypton

In this blogpost I want to show you how easy it is to setup SSH and PGP key securily without even having them on your laptop. Instead we will have those keys on our mobile device. Yes, I hear you thinking…. Wutt, but, but, but, whaat!

No worries bear with me, I walk you through it an will even explain you some magic behind the Krypton commands which we are about to use, so you will have a fully transparant understanding on Krypton.

First of all you shouldn’t worry about the safety of your keys. Krypton is backed by Akamai and fully opensource. This goes for the browser extension as well for the Mobile apps or the Daemon. This means there is a strong company behind the tool as well you can review the sourcecode.

Furthermore your keys will only be stored on your mobile device and not somewhere in the cloud. Your most valueable belongings you usually prefer to keep close. In this case you keep the keys on your phone in your pocket. More close you can’t get it, right? OK! Let’s rock and roll!

Install Krypton

To get started with Krypton we will first have to install the Daemon, browser plugin and mobile app.

Lets start by installing the browser plugin. Also install the mobile app for your device.

As of this time of writing kr currently supports MacOS (10.10+) and Linux (64 Bit) (Debian, RHEL, CentOS, Fedora with systemd). So Windows users unfortunately can’t use the SSH and PGP features of Krypton. However you could leverage the other non developer features.

For Windows users please scroll to the end. I have 2 alternative blogposts for you there, to explain how to setup SSH without 2FA. Also for Linux or Mac users that approach works, which is still an approach I’m using on some of my laptops.

To install the daemon we simply run following command in our terminal.

1
curl https://krypt.co/kr | sh

SSH setup

1
kr pair

This will display a QR code in your terminal. Scan the QR code with the Krypton app on your mobile. This will pair the Krypton daemon krd on your laptop with your mobile device.

Another thing that got configured now on your laptop is the following ssh config.

~/.ssh/config
1
2
3
4
5
6
7
8
9
# Added by Krypton
Host *
IdentityAgent ~/.kr/krd-agent.sock
ProxyCommand /usr/local/bin/krssh %h %p
IdentityFile ~/.ssh/id_krypton
IdentityFile ~/.ssh/id_ed25519
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_ecdsa
IdentityFile ~/.ssh/id_dsa%

Due to this the magic happens whenever you try to ssh into a server or when you are doing a git push or git pull.

Before we can do that we ofcourse first have to authorize our key. We can view our key using following command.

1
2
3
4
$ kr me
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCq/z0K0ZqozIfwyAI1fa2ddt3Lq3+I9GRrKVlsf57nfAwiCnemWhimTlxHJ2TsWKBkxYnq5lGNpD5G4NyOlDQLUHy1g1eHbPiXgmDIbaUZ0OSo/BwwK+tBb9Y51VvCeHilP1J3WMznfE+Uo9yJLT6NsRTV56C0jzH9K3ay3L1iUCiwKRw2uwRsFZo7owp6yzS/5ktDy9qJ9FU+AYA1a9AvF2tJ2wiAwSVnd4h6EZZP8btuSbDt4B3iF47XgUpJ38lX0C5BIhsuCrHxypCeurFAFk6p5KENoxfa7s58jug6sN9Pk+DYHUTntjWAjZYCJk/Kp96tsrRlNJD/lYWGt5NyaUz4Js3/maQQxyhYWa9X5i/g4LSGQpratPEJQySqVva364zcsMAtHWwpqq8ctqoAqaoU48u4y0XWt/PHHQStlrRXyR9uhPkW2dR4bhqYznA03uEBO+GcbnJiDCw18+l+R2+PkSg6omXdVyv/3slUP/HSrWKAAoTGaZMrxzBKFIvNn0lTtqVHeWZoqwIIUs5HY5SWy8ZMLLnIGxYcuYJpScgA8Nt/QSBptu/lndp9rL2bxdl/UDMbhefwVGjubCxL8r6/uVkmjHHc0moErEl/qFTdcRqoIGl7m2Vt7cYQ+JRoxtJjy9wSKW7pUMdgjguVgUTNOQSuMEFzhqB5ERX13Q== Marco'siPhone

Copy this key to your clipboard using "kr copy" or add it to a service like Github using "kr github". Type "kr" to see all available commands.

As you can see you have a bunch more commands available to copy the key using kr copy or kr github. Use either one of these to add your public key to your github profile or any git solution of your choice. Mostly this can be found on the page with your profile settings in the SSH section.

To authorize your key on a server simply run ssh-copy-id marco@server. This will authorize your key after you allowed the access in your mobile phone.

Awesome right, now we have 2 factor SSH configured. A lot of words, but it took only a few clicks and commands.

PGP setup

Now lets have a look at setting up 2 factor PGP. In general setting up PGP normally takes quite some expertise to get the keys created and have a pgp agent running. Then next also to configure your Git to sign your commits. All kind of reasons and excuses for many of us to not use PGP to sign our commits. Well lets forgot about all of that and lets see how easy this is with Krypton.

Just run following command and approve the action on your mobile device and follow the interactive steps.

1
kr codesign

Now simply upload the public key to your online github or any git provider of choice to get your commits annotated as verified. In case you missed it we can also retrieve our pgp key at a later point in time using following command.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ kr me pgp
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: Created with Krypton

mQINBF3CuUEDEACq/z0K0ZqozIfwyAI1fa2ddt3Lq3+I9GRrKVlsf57nfAwiCnem
WhimTlxHJ2TsWKBkxYnq5lGNpD4G5NyOlDQLUHy1g1eHbPiXgmDIbaUZ0OSo/Bww
K+tBb9Y51VvCeHilP1J3WMznfE+Uo9yJLT6NsRTV56C0jzH9K3ay3L1iUCiwKRw2
uwRsFZo7owp6yzS/5ktDy9qJ9FU+AYA1a9AvF2tJ2wiAwSVnd4h6EZZP8btuSbDt
4B3iF47XgUpJ38lX0C5BIhsuCrHxupCeurFAFk6p5KENoxfa7s58jug6sN9Pk+DY
......
......
......
Eqhpz7w10X8TA9D3Dv+/8ZHkgc3Jfg5vrKu1F/zA+7jF7BqaT5oDlfLtE+Y1E3Wx
iMyAuoTUCvbmwKwnhTzrfxxPdzqJLeWF5OqfzIPoO4s4gqygugc4iFiZHf9C6N0l
Xu4b0viSvW/4w2OTVRd/hXVC+Bl6je2yt7wOTOh2AT7tWtNzyB7qLaZLhD+Fj+6i
c15tc2VRyPTn2dqKWZXSeg==
=pXN5
-----END PGP PUBLIC KEY BLOCK-----

Copy this key to your clipboard using kr copy pgp or add it to Github using kr github pgp. Type kr to see all available commands.

So how this exactly work? You might have seen it in the output when setting up your PGP key. In our Git config file a setting was added that makes our commits being signed.

~/.gitconfig
1
2
3
4
5
6
[commit]
gpgSign = true
[gpg]
program = /usr/local/bin/krgpg
[tag]
forceSignAnnotated = true

The krgpg program will fetch an approval from your paired mobile app to be able to sign the commit using the private key which is only stored on your mobile device.

Browser setup

By clicking the browser extension you can also pair your mobile device for having some more integrations like 2FA for accessing facebook for example. Feel free to play arround with that yourself.

Wrapup

If you think after all of this, you don’t really like it you can simply run following to unpair and uninstall Krypton.

1
2
kr unpair
kr uninstall

If you prefer to have a regular ssh setup then please consult following blogposts:

Thanks for reading my blog if you made it till the end. Please reshare with your colleagues and friends.

Share