Find a way to use the ssh-agent to obtain the decrypted key in order to avoid typing the password every time a vault needs to be edited/viewed.

Probably is not possible: http://security.stackexchange.com/a/55791/54143

==> Cloning https://github.com/ssh-vault/ssh-vault.git
Updating /Users/joe/Library/Caches/Homebrew/ssh-vault--git
git config remote.origin.url https://github.com/ssh-vault/ssh-vault.git
git config remote.origin.fetch +refs/tags/0.12.3:refs/tags/0.12.3
==> Checking out tag 0.12.3
git checkout -f 0.12.3 --
HEAD is now at 33b59a3... prefer the HOME environmental variable
git reset --hard 0.12.3
HEAD is now at 33b59a3 prefer the HOME environmental variable
==> dep ensure -vendor-only
==> go build -ldflags -s -w -X main.version=0.12.3 -o /usr/local/Cellar/ssh-vault/0.12.3/bin/ssh-vault cmd/ssh-vault/main.go
# github.com/ssh-vault/ssh-vault/vendor/github.com/ssh-vault/go-keychain
vendor/github.com/ssh-vault/go-keychain/corefoundation.go:29: cannot use nil as type _Ctype_CFDataRef in return argument
vendor/github.com/ssh-vault/go-keychain/corefoundation.go:36: cannot convert nil to type _Ctype_CFDataRef
vendor/github.com/ssh-vault/go-keychain/corefoundation.go:37: cannot use nil as type _Ctype_CFDataRef in return argument
vendor/github.com/ssh-vault/go-keychain/corefoundation.go:62: cannot convert nil to type _Ctype_CFDictionaryRef
vendor/github.com/ssh-vault/go-keychain/corefoundation.go:63: cannot use nil as type _Ctype_CFDictionaryRef in return argument
vendor/github.com/ssh-vault/go-keychain/corefoundation.go:74: cannot convert &keys[0] (type *_Ctype_CFTypeRef) to type *unsafe.Pointer
vendor/github.com/ssh-vault/go-keychain/corefoundation.go:74: cannot convert &values[0] (type *_Ctype_CFTypeRef) to type *unsafe.Pointer
vendor/github.com/ssh-vault/go-keychain/corefoundation.go:87: cannot use nil as type _Ctype_CFStringRef in return argument
vendor/github.com/ssh-vault/go-keychain/corefoundation.go:90: cannot use nil as type _Ctype_CFStringRef in return argument
vendor/github.com/ssh-vault/go-keychain/corefoundation.go:141: cannot convert &a[0] (type *_Ctype_CFTypeRef) to type *unsafe.Pointer
vendor/github.com/ssh-vault/go-keychain/corefoundation.go:141: too many errors
/usr/local/Homebrew/Library/Homebrew/debrew.rb:11:in `raise'
BuildError: Failed executing: go build -ldflags -s\ -w\ -X\ main.version=0.12.3 -o /usr/local/Cellar/ssh-vault/0.12.3/bin/ssh-vault cmd/ssh-vault/main.go

(doesn't affect Go 1.9.x)

when trying to view the content of a vault, if the key doesn't match, prints the default key on the system:

$ ssh-vault view vault.ssh 
Decryption failed, use private key with fingerprint: fd:c9:a5:ab:67:c2:6a:3b:6b:c9:72:d6:32:f8:a8:09

Hi, the ssh-vault homebrew formula is currently blocking a pull request to update the go formula to 1.13.5. Details here: https://github.com/Homebrew/homebrew-core/pull/47510#issuecomment-565634744

Can someone take a look at why the formula fails on macOS with go 1.13.5, please?

Hello,

I use the public key of some friend to encrypt some content:

ssh-vault -k ~/.ssh/vault/keys/id_rsa.pub create < QR.jpg > RQ

From the friend's computer:

ssh-vault -o QR.jpg view RQ

Unfortunately, he's got the message No valid PEM (private key) data found

He's got well his private key in ~/.ssh/id_rsa

Thanks for your help.

Since version 7.8/7.8p1 (2018-08-24) ssh-keygen by default generates RSA keys in new format and they don't work with ssh-vault any more block.type in this case looks like "OPENSSH PRIVATE KEY" not "RSA PRIVATE KEY"

• ssh-keygen(1): write OpenSSH format private keys by default instead of using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key.

It would be nice if the -u option could be repeated, to allow multiple recipients. Something like

ssh-vault -u id_rsa-1.pub -u id_rsa-2.pub -u id_rsa-3.pub create vault.ssh

hey

first of all, thanks for the awesome tool :pizza: would it be possible to allow creating secrets on the fly, straight to STDOUT (without having to write to file)?

something like ssh-vault -u nbari create and, if no file parameter is specified at the end, just open the editor and print the encrypted message to STDOUT.

Test the windows binaries https://dl.bintray.com/nbari/ssh-vault/ssh-vault_0.7.2_windows_amd64.zip

Check if creating, edit, viewing vaults works besides fetching the keys remotely or using keys locally.

I'm encrypting a file using ssh-vault via:

 cat test/data/note_to_encrypt.txt | ./ssh-vault -u bsutton create ./test.vault

This produces a file:

SSH-VAULT;AES256;ee:88:c8:35:4d:0e:a9:14:c1:44:61:59:90:95:ef:a0
GxjmmbzD0yR4m0WAdeEOQqViVfaq/KMrEV3bUVZAT/bTT/JuJeg5mXwHMm3DED1y
SW44D3HZg8jKWeIKms0zsy0p273jCZ+Wi/gj5lTGzsQaltPTpgiX36N9RY9z2eSh
N/+RPvU8NVfMLE1YvhjBqz+Vnz9iFhivG46TwKKihUUyAt7NmCDIxn6KRNDvGeUF
YSWwQwXCuqLcO1mE12YkLA6TzoH9cXm+9jU39Bh8VTPqDW4teTcfXgGP7s2f3M1N
qh1u4IASW58XkpOI5A0OufrvWfpwWhkLKWNtPpPkeBXYvuH2faeCVHVxHcQ+p62+
bk09zczek3GyrW23AV60f24tNo/EDjUqJ6PEvIHTWrpEZEORC2rYAX/YgDUrG2Jw
WuVWOsfN+E/QMs+vvdJw7zvKiy/jA3NGUJWhES3DneKanV0SVKlOmoRDQehKtU6X
0lb5c6nQB4z/cI8uP7bhIE4WTFv2u/VXnHYIIssjM4aZWHs/TkZzeLEQHldadIhm
or/pF0hG606PunAyeGDO3nHuzyT45DJ+ywmGXln+y+QALjjvMllI9lnwR99o6/ZD
gXuyhSwaqHCWOLwaTFZ4IK2kdE7shWKlKYnyqldPlV6NBzouuTcWu4EgNGv0MNLm
DwdwWc8AqgT2fTvfHyILx4GfDVXgqe/BpwL/MTLK3u0=;bLlYIF+UyrlG8zrWTAo
FH5h/RQ/WgrZ7gfZgNrQF/ZOUusJaq8Ho6TJ5p429avPwPbaAumFSX+DwwWCDcWw
Y2peF9tvqaOgiy8MJkDAf9OB4L/6WWSBbsqiyViJlGXGhzA==

When I try to decrypt the vault I get:

echo "<pass phrase>" | ./ssh-vault  -k /home/bsutton/.ssh/id_rsa view test.vault
bad ssh-vault signature, verify the input

The private key file is encrypted with

As I understand it you can pass the passphase phrase via stdin hence I pipe the output from the echo command.

However I'm seeing two problems.

1. the above invalid signature
2. even though I pass the passphrase the command is using the gnome agent to request I enter the pass phrase.

I'm uncertain if these two problems are related?

Hello, Two issues I wanted to report (I believe related to #37) that I have recently experienced on my mac (catalina) when using ssh-vault:

• First issue

how to reproduce the issue: ssh-keygen -t rsa -b 4096 -C "[email protected]"(gitlab example) ssh-vault -k id_rsa.pub create < file > file.vault ssh-vault -k id_rsa view file.vault

output: enter passphrase: could not parse private key: ssh: this private key is passphrase protected

analysis: When having a passphrase protected key, and no usual PEM header (no dek-info section as tested by x509.IsEncryptedPEMBlock()), it goes through ssh.ParseRawPrivateKey() instead of ssh.ParseRawPrivateKeyWithPassphrase().

However without password it works fine since it goes through ssh.ParseRawPrivateKey and when -k parameter is the private key ssh-keygen -yf works, if -k is a public key it works too (when both are in local and in the same directory).

proposal: Either decode the header of the openSSH format private key that should contain something like this when encrypted:

openssh-key-v1 aes256-ctr bcrypt

Or when having a block.Type of "OPENSSH PRIVATE KEY" trying ssh.ParseRawPrivateKey() followed by ssh.ParseRawPrivateKeyWithPassphrase() when the first is not successful.

• Second issue

Also a second issue appears due to -k parameter. Indeed the usage of ssh-keygen -yf doesn't deal well with passphrase protection. So it works when having the public key as parameter but not the private one. (when both are in local and in the same directory).

how to reproduce the issue: ssh-keygen -t rsa -b 4096 -C "[email protected]" -m PEM([gitlab example]

analysis: I don't know why we need to extract sometimes the public key from the private one. -k parameter as showed by the command helper is a public key so I am not quite sure why we are passing the private key sometimes even though that is the private key which is needed to decrypt.

	// use private key only
	if strings.HasSuffix(v.key, ".pub") {
		v.key = strings.Trim(v.key, ".pub")
	}

proposal: Either decoding the private key and the public from it without using ssh-keygen as already mentionned in the TODO or perhaps adding another parameter to distinguish between public and private keys. Another option could also be to add the suffix pub and get it.

Thanks for the great work and your help !

This is not a bug report, this is a note for any who will try to use this software. And probably a README update request.

I spent about half an hour in trying to figure out what's wrong with my keys, and then realized that you're using some unconventional way to calculate the key fingerprint.

OpenSSH MD5 fingerprint (as it's used in many other software, especially with ssh-* in the name) of test_data/id_rsa.pub is 95:84:27:28:3c:32:9d:80:39:13:8d:cc:90:3e:4b:e8:

wget https://raw.githubusercontent.com/ssh-vault/ssh-vault/bcf687340bba1fbd9cd00672d965d9b501dae259/test_data/id_rsa.pub
ssh-keygen -lf id_rsa.pub -E md5 
4096 MD5:95:84:27:28:3c:32:9d:80:39:13:8d:cc:90:3e:4b:e8 no comment (RSA)

And 55:cd:f2:7e:4c:0b:e5:a7:6e:6c:fc:6b:8e:58:9d:15 is a MD5 hash of binary representation of the same key in PKCS8 format (aka SSH2 format):

ssh-keygen -e -f id_rsa.pub -m pkcs8 | openssl pkey -pubin -outform der | openssl md5 -c
(stdin)= 55:cd:f2:7e:4c:0b:e5:a7:6e:6c:fc:6b:8e:58:9d:15

You wrote a few words about this in this blog post, but as I'm not AWS user I had no idea how these formats differ.

ssh-vault is amazing software and I love it!

Unfortunately the Indian government is blocking access to https://ssh-vault.com/.

Not sure if there is anything you can do, but wanted to let you know.

GitHub isn't blocked so I can still access :)

Reading the #6, it felt that there was some integration with ssh-vault and ssh-agent. I'am wishing that the decryption made with ssh-vault view <a_vault> will occurs without to have to enter the passphrase of my ssh private key.

Is there any chance that it will work ?

Information on my package

ssh -V
  # OpenSSH_8.7p1 Debian-2, OpenSSL 1.1.1l  24 Aug 2021
./ssh-vault -v
  # 0.12.8

Even if I perform a seemingly read-only operation, e.g. ssh-vault -k ~/.ssh/id_rsa.pub view cipher.txt

It creates the directory ~/.ssh/vault/keys (empty) What is that for?

I'm running on ubuntu trying to decrypt a file:

cat vault/encrypted | ./ssh-vault view
could not parse private key: ssh: this private key is passphrase protected

Looking at some of the code it looks like it should prompt for the pass phrase or pull it from the key chain.

Any reason why it appears to be doing neither?

lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.1 LTS
Release:	20.04
Codename:	focal

./ssh-vault -v
0.12.6