Why You Should Be Using SSH Key Pairs

Public Key Authentication is a robust security framework that can be used by the SSH protocol to support both interactive (user) and automatic (programmatic) access to virtual machines. It consists of a private key and an algorithmically derived public key pair. This pair can be used to asymmetrically (one way) access a VM over SSH without the use of passwords. It is essential when enabling programmatic access to the components that comprise an application, e.g. the traditional client-server relationship.

Because it does not require passwords – which can fall victim to a brute force attack – it is considered extremely secure.

The Key Pair 

The key pair comprises a public and private key. These keys are generated on the client-side machine. They can then be used for non-interactive logins in the case of individual users, or in the case of programmatic access, it may be used to allow a web front-end to authenticate with a backend DB in an automated fashion, for example. 

Private Key 

The private key – sometimes called the identity key – cryptographically represents the identity of the user, or more specifically the machine. This key must be kept on the generating machine. It is considered secret and should never be shared or copied. Anyone with access to the private key can freely authenticate with any other machine with the corresponding public key. Any system with the public key will explicitly trust a user/machine with the private key.

Example Private Key:

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAgEArG6KsmOxxFuGDsJx42UV9pvjqdPB7iQoLfpqY0JFuvy7CZgeDF5P
noVgPNWs0rcWdGkoiYNFj9mmOhpmIxQLHxMunnlpzjdaQS6DU4Rhv3yf/w7bxMh12R7SZk
YRvfvw3Pe20ersTd8MSFdkpDstmcIoZXgSHxxeq5he3rY8mTvMrw0EvSoi51w0W7UA7s+M
MUzq27AAwiLqFlMq9I92LhPKYUmOrvXYjQbkeKRBnHgqtwP44R343VDj5k5Z6nyZPbBSZW
rAjwkFpPSctt+DQVeElgpjCOTh2y8KLQHq3c+SGPrNisWfO9rkjJggUZDFECDJV02h/h7u
sr2sZhs2klJGRTGKUsHsELJU8enFJ8qBXumeRCMJf4ILMpcI2+XP2j2V/ytMNEeenoOxko
0TNyvlFeabImh+3/4cK34KIossEKvugdmU8rsukxJxgFR1mEJYtaZYwXLhsklSUA2UqPtU
4yre8KgNH7HMx5UdluXCN5cMEFoCmyv/ryVlMKndidOFkXyvbkbm6dV8UAKf95QVLWJXCt
gBFSzE6N4d+xY4RNb2+V5Brj2QdlfQdxmsp7h5q5hv46siTv8sYnhUqWQXs93SBnNNbSlT
lxf1yXpYjv15rJs5eKFt1OEyqtH3Eh4rUlBWPEfWBVWcS85s3Rb16Rg1EKlSsxOaYQA6Gk
MAAAdQVrXhVFa14VQAAAAHc3NoLXJzYQAAAgEArG6KsmOxxFuGDsJx42UV9pvjqdPB7iQo
LfpqY0JFuvy7CZgeDF5PnoVgPNWs0rcWdGkoiYNFj9mmOhpmIxQLHxMunnlpzjdaQS6DU4
Rhv3yf/w7bxMh12R7SZkYRvfvw3Pe20ersTd8MSFdkpDstmcIoZXgSHxxeq5he3rY8mTvM
rw0EvSoi51w0W7UA7s+MMUzq27AAwiLqFlMq9I92LhPKYUmOrvXYjQbkeKRBnHgqtwP44R
343VDj5k5Z6nyZPbBSZWrAjwkFpPSctt+DQVeElgpjCOTh2y8KLQHq3c+SGPrNisWfO9rk
jJggUZDFECDJV02h/h7usr2sZhs2klJGRTGKUsHsELJU8enFJ8qBXumeRCMJf4ILMpcI2+
XP2j2V/ytMNEeenoOxko0TNyvlFeabImh+3/4cK34KIossEKvugdmU8rsukxJxgFR1mEJY
taZYwXLhsklSUA2UqPtU4yre8KgNH7HMx5UdluXCN5cMEFoCmyv/ryVlMKndidOFkXyvbk
bm6dV8UAKf95QVLWJXCtgBFSzE6N4d+xY4RNb2+V5Brj2QdlfQdxmsp7h5q5hv46siTv8s
YnhUqWQXs93SBnNNbSlTlxf1yXpYjv15rJs5eKFt1OEyqtH3Eh4rUlBWPEfWBVWcS85s3R
b16Rg1EKlSsxOaYQA6GkMAAAADAQABAAACAEohT/F3WMJxEoYf5DR9jd6ykEK/rf0CgF+b
68b2g+Hqq0Jpqmlo1lPxRTmCJ0WDvtyXJP1ReUNpr8QE+2oTQODAL2ekDO/B7kRdicoK/L
cFDgfqTGMiRz/rt0qOzyvdN2TX/jnrBGJKBQ7Iu5S7eFRFG3bcEvZbDPw6ina25ACAq/OJ
5kKo7c6HXl8axubkRYIgbku6M+lCd17XrHztfEI88eG3bOcc/FdM4kZXX3m0U7DQvVuSth
33m7K0doWPwZW6ywGczmHv4ARVwVYBa31Y8cBLgN4fAFZpt7c3vtBTX5zrnhgN8/IYne8v
q51FXuMbJVQqJP2KMNaZIpfXFTNHwtsUnCfL1F3JJK63maDd+tQMHj8JPFtlcHaouFNWKm
wYgVoZUrMBjs/jVIEwfJcBTr42d44vcDxQLk+OzFwEwQ8iZAo1rpXXO3DiBLOylOs4tzoW
WmVEgZD+nZKpMUYsik20MYfTQ0uGmFk0VbupOTO/dWJYww00O9XtLDlObj+IH1t5dzMK4Q
VrAmQNs3DpoIwXeSgK6LoINuFlgH+BVqvXogBl1IVXVPctZg4P2QH6NhrvPMhJh8qHHDD3
LVFUzOohqJFyeQ7VC7MTgEnSkWekRJC67kB6kjULoJ6+uJyUETFbqqdo12o88Y9cUkw0qR
sFJl0jVTSJ/crXA7W5AAABABKgz3E5141Vx8M/jZ1h3SxcM7UMq3JdNh680Wvw2OQ2chSL
BbKufa2wJv1NRW3dikD2hgrLEji1djOgSB3e58q8UCmq+zyGotl3EaR9cW6r74hsuMMBjX
SivRbiYgtoNpXIaa2tbpOCa9U4QtIeGFbKrz9/kVFTpv+wwXqK4RIJ9XCe+cO8b2i3BiW5
+OfqL6OuqQkp6FWwBJR3ZynaIDd5V4Wn55iAluriEA0EK7y6pfYV+eS9xpSlZ2g4tF+nTD
OXI/8zPxgz6Od40p7A9YgL3fulqpXgnHlinEK/YczH3HVkjLj3Tf3LeRo0gqsA5aOfXd6K
MTGXwV5JYgkthuAAAAEBAN7TimDbO3LW7lkvrgYIIoSAU+qHdl2MGh3tEouZFVEv0b9QZm
oQkGSJ8g5+VH2IkApa755fyoenD/fl+KTej/jtkr5BbOe8kbppFWIgBXtvjZq7bff9pqOe
2jDOZcEj1Vt1ZIa4RbOwWYl++d4GzdaYnqHKt4xtTz480hM1YugjbYsqY+76yLD+p2VWy4
rjVl2ztRrFLOwUIMETx0CpmwQwlvCWcy/IMBKogEdQNlETKxdxwDARPOAuyiOowqhd6KJL
ZEuhluJouI3ZsINs9KfDUzsixD1xd8ixkjm6Gu7EOhg96whanmyl82valmEAvwio5tl6fg
j6CixFzt9JpF0AAAEBAMYaV4cHtn86aKIoLt73DJBk/U3hfD8xtA9kL9yiaW9PkttIKZ3x
y3IIlcu9zN3Vb5IU/TFrNjuN9EYeEYKy5vGHbUKvDEwbrLgI75HBqwv5AUEE/XzxApicIz
DCx3ugEiW+Ki6C9sLxMmjs2RNeIRXg2sx8IF4/ep6VtqMLaOCUB/Z7i9K3oas0VaCop/dW
S/5aE4rJSYb9lTL+4mQFwutUsPDkG7sOE2YGv87oE0yzh3LT2JG0b/uWmGAQdSi0dyimcN
IjwoDVbdXCK5GkTf7nGNXTxLnsWlrnv/GI10YNQtnaWJlwex/vP824CdHmMWstAF74xfvL
ZAeJlu2Izx8AAAAYc2NvdHQuaGFycmlzb25AdHVvbm8uY29tAQID
-----END OPENSSH PRIVATE KEY-----

NOTE: This is a real key that I generated and it has since been destroyed. 

Public Key 

The public key – often called the authorized key – is cryptographically derived from the private key and can be used by anyone to encrypt data. This data, however, can only be decrypted by the holder of the private key. For this reason, public keys are not considered secret and can be freely shared.

It is analogous to your own bank account number. This number could be used to pay money into your bank account (mine is 1526283472, for example), but not to withdraw (unless of course you have the corresponding key – in this case of a bank account a passcode, ID, or both). I, for one, don’t consider someone paying money into my bank account to be a problem, so by all means, please use the bank account I provided above.

Example Public Key:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCsboqyY7HEW4YOwnHjZRX2m+Op08HuJCgt+mpjQkW6/LsJmB4MXk+ehWA81azStxZ0aSiJg0WP2aY6GmYjFAsfEy6eeWnON1pBLoNThGG/fJ//DtvEyHXZHtJmRhG9+/Dc97bR6uxN3wxIV2SkOy2ZwihleBIfHF6rmF7etjyZO8yvDQS9KiLnXDRbtQDuz4wxTOrbsADCIuoWUyr0j3YuE8phSY6u9diNBuR4pEGceCq3A/jhHfjdUOPmTlnqfJk9sFJlasCPCQWk9Jy234NBV4SWCmMI5OHbLwotAerdz5IY+s2KxZ872uSMmCBRkMUQIMlXTaH+Hu6yvaxmGzaSUkZFMYpSwewQslTx6cUnyoFe6Z5EIwl/ggsylwjb5c/aPZX/K0w0R56eg7GSjRM3K+UV5psiaH7f/hwrfgoiiywQq+6B2ZTyuy6TEnGAVHWYQli1pljBcuGySVJQDZSo+1TjKt7wqA0fsczHlR2W5cI3lwwQWgKbK/+vJWUwqd2J04WRfK9uRubp1XxQAp/3lBUtYlcK2AEVLMTo3h37FjhE1vb5XkGuPZB2V9B3GaynuHmrmG/jqyJO/yxieFSpZBez3dIGc01tKVOXF/XJeliO/Xmsmzl4oW3U4TKq0fcSHitSUFY8R9YFVZxLzmzdFvXpGDUQqVKzE5phADoaQw== scott.harrison@tuono.wpengine.com

NOTE: You shouldn’t care whether I destroyed this or not. Remember, it’s not a secret. 🙂 

To recap, the primary benefits are:

  • far more secure than a user/password-based approach to security
  • extremely robust for programmatic access

To understand how to create SSH Keys please see the SSH Key Pairs article in our docs.

Hopefully, this article gives an overview of what a public / private key pair is and why you should be using one for your cloud infrastructure. If you are interested in more detail see here.

Deploy your first environment