
$2 hardware SSH keys storage - pavel_odintsov
https://github.com/nuclearcat/cedarkey
======
kees99
When using this awesome piece of software, you probably want to give a miss to
the "blue pill" board recommended in the README file, and go instead with ST-
Link v.2 clone, which has identical hardware and pricetag, while being
considerably more portable:

[https://blog.danman.eu/2-usb-crypto-token-for-use-with-
gpg-a...](https://blog.danman.eu/2-usb-crypto-token-for-use-with-gpg-and-ssh/)

~~~
nuclearcat
Absolutely agree about that, at least it has enclosure. I will check if i have
one, i might port software to this hardware too, it should be trivial. I might
try to make 3d printed enclosure for blue pill as well.

------
sigjuice
If my private key never leaves the hardware, does this mean I cannot make a
backup copy of my private key? What would be a reasonable strategy to overcome
my hardware key getting lost or damaged?

~~~
nuclearcat
Key is not generated on dongle, so you will have it generated and stored
initially on PC. By the way any key generation in chip might be VERY insecure,
especially with RSA, because chip vendors love to use "backdoored" random
generators (CVE-2017-15361).

So, as you use PC(preferable airgapped) for generation and initial dongle
configuration, use secure erase after generation and configuration, but if you
want, before that you might do backup copy as well to another dongle, or USB
flash kept in safe place. There is definitely no plans to make key retrievable
from dongle over USB protocol, as trojans might do the same. Still device is
not absolutely secure, JTAG access have to be blocked (i have code for that,
but didn't tested it properly yet) and for very paranoid people better to cut
off jtag electrically, i might publish detailed guide how to do that - later.

~~~
aplorbust
"... for generation and initial dongle configuration, use secure erase after
generation and configuration..."

Is there any reason one would want to use secondary storage versus storing
these temporary files in memory, (e.g., "memory disk" or tmpfs)?

~~~
nuclearcat
It is up to each person. I fully agree, that keeping keys in memory disk is
better. Also, one more paranoia hint - generating and configuring dongle on
something without management engine , it might be SBC(Raspberry PI) with
enough entropy.

Seems i must write mini-guide how to generate keys securely, based on
suggestions.

