Best Practices for Safeguarding SSH Keys


SSH is a popular protocol for protecting data privacy through data-in-motion encryption – to make sure that hackers are not listening in on your private transactions as they traverse over the network. It also offers both client and server authentication, to ensure that both transacting parties – say, your company and your bank – are who they say they are. For encryption and decryption, SSH users a pair of keys – a public key and a private key. Unlike TLS, which requires the use of digital certificates and rely on a Public Key Infrastructure (PKI) and participation of CA to function, SSH keys are not governed by any trusted public body – they are created, used, and managed solely through an agreement between transacting partners and include more functionality such as enabling users to login into remote machines and execute commands remotely, whereas TLS needs to pair with other protocols (FTP etc.) to provide similar functionality.

Key approval, distribution, and management, as well as re-keying of outdated keys, can be a tedious task, especially for large companies who typically have several million SSH keys that provide access to their network devices – servers, databases, firewalls, payroll systems, etc. Protecting the SSH keys is essential, but many overworked administrators find themselves reusing keys across devices, hardcoding keys, and making other mistakes, ultimately compromising their company’s security posture and opening up opportunities for hackers to gain entry into the network.

At AppViewX, we created an SSH key management and automation solution to help organizations make access safer, and streamline the key management process. The AppViewX Platform allows teams to discover, create, provision, rotate, and secure SSH keys automatically, while ensuring policy compliance across networks. A platform-agnostic solution that can manage and automate SSH keys’ lifecycle on-premise or in the cloud, AppViewX uses a single console to proactively prevent key misuse by enforcing access controls and monitoring key usage.

Related Articles:   6 Steps to Migrating Your Certificates from SHA1 to SHA2

Here are a few guiding tenets for SSH key management that AppViewX can help you enforce:

You can’t manage what you don’t know

Often, hackers target obsolete SSH keys that remain in the network, unknown to administrators. Detecting expired or unused keys and promptly invalidating them can stop many types of incidents – like Man-in-the-Middle attacks – from penetrating your organization’s defenses. AppViewX can help you discover both legitimate and rogue SSH keys, creating a holistic view of your entire key portfolio, complete with configuration information and client, server, and user associations.

Frequently rotated keys = better security

With millions of keys to manage, using spreadsheets and homegrown tools can be not only wasteful and inefficient – it can be downright dangerous. To minimize vulnerability windows, AppViewX allows users to setup periodic automatic rotations schedules for SSH keys, making sure all keys are being regularly rotated, using fresh credentials. Automated rotation ensures that all copies of the same key are being rotated at the same time, and all transaction partners are immediately notified of any changes, to prevent outages and service interruptions. With an automated rotation schedule, you can finally eliminate the practice of hardcoded keys that use embedded passwords, making them vulnerable to attackers.

Audit and policy controls

To enforce compliance throughout the enterprise, AppViewX helps enforce SSH key management policies across key groups. It also provides audit capabilities in accordance with cybersecurity and industry regulations, and can help your organization build consistent and repeatable SSH key management practices.

To learn more about how AppViewX can help you develop and maintain strong security practices around your SSH keys, visit us at AppViewX CERT+

Want more great content?

Subscribe to our blog to get tech tips, industry news, and thought leadership articles right in your inbox!