Skip to main content
banner image
venafi logo

4 Ways to Start Protecting Your SSH Keys

4 Ways to Start Protecting Your SSH Keys

protecting ssh keys
December 29, 2017 | David Bisson

When organizations don't properly manage their Secure Shell (SSH) keys, they can expose themselves to significant digital security risks. Those threats commonly arise from the fact that companies routinely use SSH for privileged access, but don’t seem to recognize the high-level access that they grant. This relative ignorance becomes even more dangerous when SSH keys are used for automating processes across routers, firewalls, and other mission-critical systems. Once cyber criminals gain access to this interwoven network of machines, they can pivot within your network until they locate valuable data.

How well does your machine identity protection strategy stack up? Find out.


The good news is that exposure to SSH risks isn't inevitable. Organizations can protect themselves by creating secure practices for managing their SSH keys.

Here are four best practices for SSH key management that every organization should follow.

  1. Build an SSH Inventory
    You can't protect something about which you don't know. With that said, your organization should begin an SSH key management program by building an inventory of all SSH servers, private keys, and authorized keys that grant SSH access. You may be surprised by how many SSH keys you have. Many large organizations use more than one million SSH keys spread throughout their network. Your organization should ideally use an automated solution to make sure they discover SSH keys stored in user home directories as well as SSH configurations that limit access. You should then continue to actively manage this inventory as they add and/or decommission SSH-based assets.
  2. Identify Vulnerabilities in Your SSH Environment
    The next step to strong SSH key management is scanning an inventory for known vulnerabilities and issues. Your organization should use tools to identify threats such as SSH root access, weak keys, back door keys, duplicated private keys, port forwarding, and insecure configurations. Those tools should also help automate the identification process so that companies can respond to issues and vulnerabilities as soon as they detect them.
  3. Remediate Known SSH Issues
    Once you know there's an issue with your SSH environment, you should respond quickly by removing unauthorized keys, replacing old keys, and/or enforcing security controls that limit the accessibility and use of SSH keys. Ideally, your organization should automate these procedures and pair them with your identification tools. Doing so helps ensure consistent policy enforcement of SSH key lifecycle management. It also creates a trackable record of all changes to an organization's SSH assets.
  4. Monitor Your SSH Keys for Additional Risks
    With the above processes in place, you should continuously manage and track your SSH keys. Specifically, your organization should make a point of conducting SSH audits for compliance violations, assessing risk, and increasing accountability for identity and access management.

Managing Your SSH Key Environment

Organizations can best manage their SSH key environment by gaining complete visibility over all their keys and certificates. This objective includes identifying all encryption assets and monitoring them for vulnerabilities, detecting anomalies, and enforcing policies.

Learn more about machine identity protection. Explore now.


Like this blog? We think you will love this.
image of a salt shaker pouring salt into a pile, against a black background
Featured Blog

SaltStack Vulnerability Exploits Exfiltrate SSH Keys

Immediately following the public disclosure of these vulnerab

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Machine Identity Protection for Dummies

Machine Identity Protection for Dummies

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more