SSH keys control access to some of the most sensitive resources in any Organization, and with the current threat of host-based attackers lying in wait, keys need to be protected at all times. We show you how to do this with SSProtect and Putty on Windows
If you're like us, you're at least a little uncomfortable exposing your SSH keys while shelled into a remote system. It's bad enough that everyone wants to use password database apps to share them with most anyone that shouldn't have them, but to top that off, when you're spending 10-11 hours remoting into one server after another, your keys are just sitting there waiting for an attacker lying in wait. Not cool.
You can, of course, protect your keyfiles and unwrap them when you need them. But then, for every access, you have to re-protect the file before you actually do anything. And if you're like us, once you get going, this is just far too distracting. But what if you could use Putty, for example, and have an application protect the file for you?
That's exactly what SSProtect In-Place Encryption does for you.
Not only is access to encrypted content protected with (optional) 2-factor authentication, but content is in-accessible while you work. This means you can open up Putty, shell in like you always do, and aside from logging into SSProtect once in awhile and using a USB 2nd-factor (preferably with a physical-presence requirement), all else remains the same - no containers, no manual wrapping/ unwrapping, just the normal procedure with a slight variation.
Haven't seen this in action? The recorded video is here. If you want to know how to do it, we've included instructions below. And it's worth noting that our software is free of ads, and we'll never follow-up in any way. You'll need to provide a working email address for use as your Account login, and we'll make sure that stays where it belongs - private and protected. The software is good for 14 (+7) days*, and if you need it longer, let us know.
Using SSProtect'd Putty SSH Keys
We assume you already have your Putty Session setup with the associated SSH key. If not, go ahead and do that now, then following the instructions below. They are basically going to walk you through 3 things:
- Installing SSProtect
- Associating .ppk files with putty.exe
- Using Putty to shell into your host
You can probably handle all of that without step by step directions, but the file association may not be so familiar to everyone, so the steps are below.
To Install SSProtect:
Installing SSProtect is easy, but the software is fairly extensive and thus holds many options that don't make sense without some investigation. To make things easier, we've provided the streamlined step-by-step instructions, below - they should be consistent with an intuitive progression for first-time use.
Install SSProtect and Sign-Up for a New Account
- Download SSProtect here, verify the package's DefiniSec signature, then run to install. Reboot if/ as noted.
- After you login to Windows, in your notification tray, click the SSProtect icon and choose, Refresh Login... to bring up a Login prompt
- The prompt should say, Choose an Action From Below... Click the Profile dropdown and choose, Create New...
- Enter the email address you want to use for this account - you'll receive a message with a code that goes into this dialog.
- After you receive the code and enter it into the Code field, choose, Verify. The software will generate keys for you.
- Finally, you'll be prompted to create and enter a new Password. Do so and choose, Change.
- The software will finish provisioning your Account and take you back to the Login page from which you can proceed.
If you need to Uninstall, go to the Control Panel's Add/Remove Programs and scroll down to the Simple Security: Protect entry.
Adding your .ppk File to SSProtect
The software runs in the background, waiting for events to service. One such event is the addition of a file to protective scope. You can do this from Explorer by navigating to your .ppk file, right-clicking on it, and choosing, SSProtect Activate. After a couple seconds, a red icon overlay will show up indicating that the file is now under the protective scope of the software.
It's worth noting that we never have access to your data. Encryption is setup such that you have keys stored on your host, as does the cloud. The combination is required to decrypt to plaintext, and access is protected by (optional) 2-factor authentication. By default, this is at first disabled as a starting point. The end of this article tells you how to manage your Account to make changes - and it's not through the use of a web page.
To Setup a putty File Association
There's one last item, and that is associating Putty with .ppk files. You can do this a number of different ways - by double-clicking on a .ppk file and choosing the application from the popup, or from the Control Panel. Whatever you do, make sure you choose the option to Always use the association for the given file type. The procedure is similar for both Windows 7 and Windows 10, though there are different ways to get to the right place on Windows 10.. One way that seems to work is to click the Cortana Type or Talk button, type Control Panel, and click on the resulting link that comes up.
From there, type Default Programs into the Search box, click on that entry in the list, then click Associate a file type or protocol with a program. Scroll down to the .ppk file, and choose Change Program. Browse to your Putty executable and choose it (you'll have to navigate a couple extra steps in Windows 10), then make sure you select, Always use the selected program to open this kind of file. That's the hard part - and now it's done.
In-Place Encryption In Action
So now what? Open Putty, choose the Session associated with the .ppk file you protected, then Open - just like you always do. No problem, right? If you do this later after your Login session times out, you'll be prompted for your Profile Password at which point Putty will then continue to open the file.
Now navigate to the .ppk file in Explorer and try to open it - you'll want to right-click the file and choose Edit, which attempts to open it with Notepad or similar. Notice that it doesn't work. Try with something else - maybe Visual Studio. No dice. You can't get to the file because it's locked out - even though, as you can see, the red overlay icon is gone. That's because, though unreachable, the file is currently in plaintext so Putty can natively access content.
Close your SSH session and notice the red overlay comes back. Now try and edit the file - you'll see the encrypted results. Now you're set - anytime you use Putty, the plaintext SSH content is not available. And if an attacker copies the encrypted file from your machine, he/ she won't be able to open it, even if they install SSProtect (unless an Organization peer or you set them up as a Trusted Third party, in which case the file works for them as noted).
To get back to plaintext content, hold the Shift key, then right-click and choose SSProtect Release. That will decrypt the file and remove managed protections, putting the file back in its' original plaintext form. Though the attacker may be able to find a way to execute this procedure on your host when you're away, you can do away with that when you add a 2nd-factor authentication token to the mix.
Account Configuration, and more...
In theory, In-Place Encryption works no matter what application you're using, though obviously there are exceptions (such as .zip files). And because of the architecture, you'll always know when files are accessed, or at least that they've been exposed. Take a look at :Assess reporting, :Recover for integrated backup/ restore, :Collaboration for Third Party Trust relationships, or :Email for Outlook messages. There's plenty more, and you can request additional evaluation components by following the information in, Adding Feature Components.
SSProtect as a complete cryptosystem was designed to make protections both powerful and easy to apply to host application data, insuring IT and Security staff have the tools required to quickly respond to Security Incidents while at the same time minimizing the impact of a Breach. For more information, continue through these web pages or peruse our online support articles. Of course we're always happy to help you out, so send detailed questions to firstname.lastname@example.org, and we'll do what we can to get you the information you need.
* Qualified Security Researchers and Journalists are entitled to no-charge use of the software. Send us an email for information on how you can qualify.
This article was published February 12th, 2017