Secure Methods for Sharing SSH Keys Across Teams: Best Practices for Cloud Environments


2 views

When managing cloud infrastructure, securely distributing SSH keys among team members presents unique challenges. The manual rotation of keys (weekly in your case) compounds this problem. Common suggestions like Dropbox or email are problematic because:

  • Email lacks proper encryption in most configurations
  • Cloud storage services don't provide sufficient access controls
  • Both methods leave audit trails incomplete

For teams without dedicated security infrastructure, consider these practical approaches:

1. Encrypted Git Repository

Create a private Git repo with encrypted key files:

# Encrypt key before committing
gpg --symmetric --cipher-algo AES256 id_rsa

# Decrypt when needed
gpg --decrypt id_rsa.gpg > id_rsa
chmod 600 id_rsa

2. Magic Wormhole for Direct Transfer

Use the magic-wormhole utility for secure peer-to-peer transfers:

# Sender
wormhole send id_rsa

# Receiver
wormhole receive

3. SSH Certificate Authority

Instead of sharing private keys, implement a certificate authority:

# On CA server
ssh-keygen -s ca_key -I user_identity -n username id_rsa.pub

# On client
ssh -i id_rsa -o CertificateFile=id_rsa-cert.pub user@host

For your LAN vs. remote colleagues situation:

Scenario Recommended Method
Local Network SSH-TOKEN with time-limited validity
Remote Team Members Age encryption with Slack/Mattermost integration

Since you're rotating keys weekly, consider this Ansible snippet for automation:

- name: Rotate SSH keys
  hosts: all
  tasks:
    - name: Generate new key
      openssh_keypair:
        path: "/tmp/new_key"
        type: ed25519
    - name: Distribute via vault
      ansible.builtin.uri:
        url: "https://vault.example.com/v1/ssh_keys"
        method: POST
        body:
          key: "{{ lookup('file', '/tmp/new_key') }}"

Whatever method you choose, ensure you can:

  • Track who accessed which keys
  • Revoke access immediately when needed
  • Maintain clear ownership of each key pair

When sharing SSH key pairs across teams, especially without enterprise infrastructure like VPNs or encrypted email servers, many developers resort to insecure methods:

# Bad example - sending keys via plaintext email
scp ~/.ssh/id_rsa user@example.com:/tmp/keyfile  # Then emailing the file

Dropbox and regular email expose your credentials to potential interception. Weekly rotation adds complexity - you need a system that's both secure and maintainable.

Here are production-tested approaches I've used with distributed teams:

1. SSH Certificate Authority (Advanced but Ideal)

# On your CA server:
ssh-keygen -s ca_key -I "team_identifier" -n "username" -V +1w id_rsa.pub

# On client machines:
echo "TrustedUserCAKeys /etc/ssh/ca.pub" >> /etc/sshd_config

This allows issuing short-lived certificates while keeping private keys local.

2. Encrypted File Sharing with Age

Using modern encryption tools:

# First install age: https://github.com/FiloSottile/age
age-keygen -o key.txt
age -R key.txt.pub id_rsa > encrypted_key.age

# Share encrypted_key.age and key.txt.pub separately
# Recipient decrypts with:
age -d -i key.txt encrypted_key.age > id_rsa

3. Temporary Web Server with Client Certificates

For LAN sharing, spin up an HTTPS server:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 1
python3 -m http.server 8000 --bind 192.168.1.100 --certfile cert.pem --keyfile key.pem

Generate single-use credentials and share via chat. Server auto-terminates after transfer.

Since you're rotating weekly, consider automating with:

#!/bin/bash
# Rotate and distribute script
NEW_KEY=$(ssh-keygen -t ed25519 -f /tmp/new_key -N "" -q)
age -R ~/team_keys/recipients.txt /tmp/new_key | \
aws s3 cp - s3://secure-bucket/keys/new_key.$(date +%s).age --acl private
rm /tmp/new_key

Always verify received keys:

ssh-keygen -lf received_key.pub
md5sum received_key | compare_with_original_via_phone_call