Saving your Github SSH Keys in a USB Drive

Github provides 2 main options for connecting (cloning, fetching, pulling, pushing) to repositories. HTTPS and SSH:

HTTPS: This is the easiest way to clone a repo from Github. It needs no setup, the port 443 (https) is usually open on all networks and when we clone, fetch, pull or push we’ll be asked for our username and password and that’s it! In macOS we can even save our username/password in the Keychain and just do this operation once. This is all good, but if our username and password are compromised then an attacker could perform any of these operations clone, fetch, pull or push on any of the repositories we have access to.

SSH: This option requires users to generate a cryptographic key pair, usually a RSA key (It can also be an ed25519 key). The user needs to upload the public key (pk) to Github before performing any of these operations clone, fetch, pull or push. The SSH port (22) also needs to be open in the user’s network (home, office, Starbucks,…). On macOS we can generate a key pair by using the ssh-keygen command, if we don’t provide a location by default the key pair (id_rsa,id_rsa.pub) is stored in ~/.ssh.

After uploading the contents of id_rsa.pub to Github we can start cloning, fetching, pulling or pushing on any or our repositories. Now, again, if our computer (where the private key lives) is compromised the attacker has the ability to perform any of these operations clone, fetch, pull or push on any of the repositories we have access to.

Now, like I said before, if an attacker compromises our computer with our private key could have access to our Github repositories. But what if we could save our keys somewhere else (lets say a USB stick) and load them into the machine for specific amount of time and then they will be removed from the computer memory/cache and if the computer is compromised these keys won’t exist there?

This sounds awesome! and yes, it is totally possible, here is how to do it on macOS:

  1. Open Disk Utility
  2. Choose external drive -> Erase
  3. Choose Format -> Mac OS Extended (Case-sensitve, Journaled, Encrypted).
  4. Give it a name (Preferably something short as you need to reference it in command line.)
  5. Disk Utility will ask for a password (this is asked every time we plugin the drive)
  6. Erase the USB Drive -> Go play some Angry birds
  7. Open Terminal.app and type:
ssh-keygen -f /Volumes/<Thumbdrive name after wipe>/id_rsa -C "<Enter Name>"
  1. Create a load script to help make loading your keys easier:
vim /Volumes/<Thumbdrive name>/load

Script contents

#!/usr/bin/env bash
HOURS=$1
DIR=/Volumes/<Thumbdrive name>
KEY=$DIR/id_rsa
if [ -z $HOURS ]; then
HOURS=<number of hours>
fi
/usr/bin/ssh-add -D
/usr/bin/ssh-add -t ${HOURS}H $KEY
/usr/sbin/diskutil umount force $DIR
  1. Next give the load script run permission:
chmod +x /Volumes/<Thumbdrive name>/load
  1. Now copy your public key to the clipboard:
pbcopy < /Volumes/<Thumbdrive name>/id_rsa.pub
  1. Add your public key to Github
  2. You can run the script at the beginning of each day be able to interact with Github.
/Volumes/<Thumbdrive name>/load

Note: The script will automatically eject the drive after running.

Based on: Tammer Saleh’s post