Advice on ssh key encryption

[sympatheticmoose]

Hi there 👋 I installed podman on MacOS via podman desktop then ran podman machine init to get things set up. This creates the podman-machine-default ssh key.

My organisation uses a tool to check device compliance with one of the scans being "Require SSH Keys be Encrypted". So this started to fail and I imagine its a relatively common policy.

I wondered if it is worth:

• Encrypting by default when running podman machine init
• Providing it as an option
• Providing documentation on encrypting the key and adding it to the ssh-agent similar to how i.e. GitHub do here

[baude]

@sympatheticmoose thanks for the nice writeup.

I'm trying to think through any downsides to having the keys encrypted. Like, making sure ignition can still do the injection etc. I have not come up with one other than making sure it works with ignition. Do you foresee any?

[ashley-cui]

Would we have to enter the passphrase every time when executing various podman commands? That feels like bad UI but I think we can get around that by asking the user to store their passphrase in their keychain if they decide to use a encrypted ssh key.

[baude]

yeah, i am hesitant to mess with the keychain automatically given the constant problem we have with the default attempts for ssh being less that the number of items in the keychain. it could be made optional like suggested as well?

[ashley-cui]

I think optional would be a good idea

[Luap99]

Right now it seems like podman already can read from the keychain when you use the default ssh key, e.g. no identity path given.
However because machine creates its own pair it sets the custom identity and we need to enter the passphrase for every single podman command. This is a very bad UX.

Besides encrypting by default means the we need user input on init which breaks existing uses in scripts, so if anything I see this only as opt in.

[sympatheticmoose]

Do you foresee any?

@baude basically this, I ran into it and... yeah... it's hell. But I assumed I was just failing to add to keychain in the right manner

However because machine creates its own pair it sets the custom identity and we need to enter the passphrase for every single podman command. This is a very bad UX.

[Luap99]

Assuming your scanner only checks ~/.ssh machine could create and write the key to a different location.
Although I guess that would still be against your policy.

[sympatheticmoose]

indeed :)

[baude]

@sympatheticmoose what if we allowed you to inject your own keys that were made prior to init'ing?

[sympatheticmoose]

That could work.

What would happen if ~/.ssh/podman-machine-default already existed before a user runs init, would it just reuse?

For me I'd definitely still appreciate docs alongside, particularly for the required lines in ~/.ssh/config