When working with SSH keys stored on FAT-formatted volumes (including TrueCrypt containers), macOS users frequently encounter the frustrating error: Permissions 0644 for 'id_rsa' are too open. This occurs because:
- FAT filesystems don't support Unix-style permissions
- SSH enforces strict permission checks (0600 for private keys)
- macOS inherits the volume's permission limitations
While there's no direct way to disable SSH's permission checks, these solutions have proven reliable:
1. Bind Mount with Correct Permissions
Create a bind mount pointing to your key file with proper permissions:
mkdir ~/.ssh/secure_keys
sudo mount -t hfs -o bind ~/.ssh/secure_keys /Volumes/truecrypt/keys
chmod 600 ~/.ssh/secure_keys/id_rsa2. SSH Config Directive
Add this to your ~/.ssh/config:
Host myserver
HostName example.com
User myuser
IdentityFile /Volumes/truecrypt/keys/id_rsa
IdentitiesOnly yes
StrictHostKeyChecking no3. Temporary Permission Override
For one-time usage with ssh-agent:
cp /Volumes/truecrypt/keys/id_rsa ~/.ssh/temp_key
chmod 600 ~/.ssh/temp_key
ssh-add ~/.ssh/temp_key
ssh user@host
rm -P ~/.ssh/temp_keyWhen working with workarounds:
- Never disable SSH security checks system-wide
- Prefer bind mounts over copying keys to temporary locations
- Consider converting to APFS-encrypted containers if possible
- Always verify the integrity of mounted volumes
When working with encrypted containers (especially cross-platform formats like FAT-mounted TrueCrypt volumes), SSH's strict permission checks become problematic. The client enforces 0600 permissions for private keys, but FAT filesystems don't support Unix permissions at all. Here's what's happening under the hood:
# Typical error message
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/mnt/truecrypt/id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
Option 1: Proxy Through Local SSH Agent
Load the key into ssh-agent before use:
# First make a properly-permissioned copy
cp /Volumes/truecrypt/id_rsa ~/.ssh/temp_key
chmod 600 ~/.ssh/temp_key
# Load into agent (will persist until reboot)
ssh-add ~/.ssh/temp_key
# Now connect using the agent
ssh -A user@host
# Clean up
shred -u ~/.ssh/temp_key
Option 2: Filesystem Bind Mount (Linux/MacOS)
Create a properly-permissioned view of the file:
# On Linux
mkdir -p ~/.ssh/secure_mount
sudo mount --bind /Volumes/truecrypt ~/.ssh/secure_mount
sudo chmod 700 ~/.ssh/secure_mount
ssh -i ~/.ssh/secure_mount/id_rsa user@hostFor frequent access, create a dedicated host entry in ~/.ssh/config:
Host myserver
HostName server.example.com
User myuser
IdentityFile /Volumes/truecrypt/id_rsa
StrictHostKeyChecking no
# Warning: This reduces security!
UserKnownHostsFile /dev/nullThen combine with a wrapper script:
#!/bin/bash
TEMP_KEY=$(mktemp)
cp "/Volumes/truecrypt/id_rsa" "$TEMP_KEY"
chmod 600 "$TEMP_KEY"
ssh -i "$TEMP_KEY" "$@"
rm -f "$TEMP_KEY"The strict permission requirements exist because private keys are equivalent to passwords. If other users can read your key file, they can impersonate you on all systems where that key is authorized. This becomes particularly critical when:
- Working on multi-user systems
- Using shared development environments
- Storing keys on portable drives
While the workarounds above solve the immediate problem, consider migrating to a permission-aware filesystem (ext4, APFS, NTFS with proper ACLs) for long-term key storage.