An SSH key is an encrypted key pair used by the Secure Shell (SSH) protocol for key-based authentication. While not required for simple SFTP connections, they can be added as an optional additional layer of security.
How SSH keys are encrypted
SSH keys are always encrypted. At a basic level, this kind of encryption involves complex mathematical functions to give the key a unique value(s), which acts as the "code" or "lock" that must be known to "unlock" their function. Because the numbers involved are so large, there is virtually no chance of guessing a correct encryption code, but they are simple and quick to decrypt once the values are known.
For example, RSA is the most widespread asymmetric method for encryption and signing of SSH keys. It works by multiplying two large prime numbers (currently recommended to have at least 3200 binary digits), then performing several functions on those numbers to calculate key values. From there, different functions are performed on the outputs to get the values that are used for encryption or decryption.
Because the numbers are easy to multiply together but very difficult to reverse the process without knowing the numbers, generating RSA keys is simple, but forcefully breaking the encryption is nearly impossible with current technology.
Asymmetric SSH key structure
Asymmetric SSH keys are structured as key pairs, a public key and a private key. As the names suggest, public keys are public and shared with others, while private keys are unique to an individual and should remain secret. If you look at an SSH key file, it will look like a long, seemingly random assortment of letters and numbers. This is because key pairs are generated using a precise mathematical relationship, which differs depending on the specific encryption algorithm used.
With any algorithm, the public key can only encrypt messages, meaning that it can't decrypt any messages, including messages it has encrypted. The private key is the opposite; it can only decrypt messages but is unable to encrypt them.
This asymmetric key design is also used in PGP encryption and other algorithms, and a similar framework is used for some secure transfer protocols like AS2.
One of the most commonly used functions of SSH keys is for key-based authentication, where the key pairs are used to authenticate a client to a particular server, and is how SSH keys fit in with SFTP.
SSH keys for SFTP authentication
SSH keys are used as credentials to authenticate with remote servers and services, and should be treated with the same level of care as passwords.
Once the keys are generated, you'll need to share the public key with servers/service providers you want to connect with. After they add the public key, you will then be required to authenticate using the corresponding private key.
At a basic level, SSH keys work by checking that a private key used to access a server or service matches a corresponding public key that is stored on the server. A matching pair would indicate that the user trying to log in is correct and authorized, and would be allowed access. Without a match, the user won't be allowed access.
When accessing SFTP servers using key pairs, most SFTP clients will include an option for adding an SSH Private Key, and will likely check the default storage location (if you stored the key elsewhere, you'll need to find a choose the specific private key file). After making a successful connection, most clients will store the key so you can quickly access the server going forward, similar to a "Remember me" feature for passwords.
The requirements to connect with SSH keys mean they are much more secure than simple username and password combinations. Because the remote server/service has to add the public key, they'll make sure that they are only doing so for valid users. Those users will need to have a corresponding private key, and the keys can also have passphrases, meaning it's much less likely that an unintended user gets access to all required components.
Generating SSH Keys in operating systems
While there are many applications that generate SSH keys–and many SFTP clients can also do this–all major operating systems can create SSH keys in the command line.
Key generation options
When generating SSH keys for authentication, you can configure different options and requirements. For the most part, many of these options are only used in highly specific scenarios, but there are a few variables that are used in most key pairs to keep in mind.
- Encryption Algorithm (-t) - This is the specific algorithm used for encrypting the key pair. Include rsa, dsa, ecdsa, or eddsa to choose an encryption algorithm.
- Bit length (-b) - Longer bit lengths are more secure but slow down decryption times and require more compute power. Different encryption algorithms require different bit lengths.
- Comment (-C) - Create a comment in the key file that will be visible but separated from the key itself.
- Change passphrase (-p) - Requests to change the key's passphrase. The old passphrase will be required to be entered correctly first.
Once you know what elements your key will contain, you can move on to generating the keys themselves.
Creating SSH keys in Windows
You can create RSA SSH Keys on Windows using Windows PowerShell or similar. Windows will create your key pair at (C:\Users\Username/.ssh/id_rsa) by default, and you'll need to copy the key to clipboard to paste it into GitHub, GitLab, or any server's authorized keys.
Creating SSH keys in macOS
In macOS, Terminal includes OpenSSH and you can create keys directly in the terminal with the ssh-keygen command. Generated SSH keys are saved in the .ssh folder, which is a hidden directory under each user's folder.
For a detailed guide on how to create SSH keys on macOS, see How to generate an SSH key on Mac.
Creating SSH keys in Linux
Linux follows a similar process to Mac as they both use Terminal and OpenSSH by default. For more information, see How to generate an SSH key in Linux.
Couchdrop and SSH keys
In Couchdrop, SFTP connections don't require SSH keys by default, but you can configure public key authentication at the user level. Couchdrop supports RSA/DSA or ECDA public keys for authentication with SFTP and SCP. Keys are stored at the user level and can be updated or changed at will, and you can also require the user to provide both a password and an SSH key.