How to Automate SSH Key Rotation Every 90 Days for GDPR Compliance


2 views

When facing GDPR-mandated 90-day credential rotation requirements, SSH keys present unique operational challenges compared to regular passwords. Unlike web applications where password policies can be easily enforced, SSH key rotation involves:

  • Key regeneration
  • Public key distribution
  • Old key revocation
  • Secure key archival

While you cannot directly "change passwords" on existing SSH keys, here are proven approaches:

Option 1: Manual Rotation Process

# Generate new ED25519 key pair
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_new -N "your_new_passphrase" -C "user@host-$(date +%Y%m%d)"

# Deploy public key to servers
ssh-copy-id -i ~/.ssh/id_ed25519_new.pub user@server

# Verify access
ssh -i ~/.ssh/id_ed25519_new user@server

# Revoke old key from authorized_keys
ssh user@server "sed -i '/old_key_fingerprint/d' ~/.ssh/authorized_keys"

Option 2: Infrastructure as Code Automation

For large-scale environments, consider these automation tools:

# Puppet manifest example for key distribution
class ssh_keys {
  file { '/home/user/.ssh/authorized_keys':
    ensure  => present,
    owner   => 'user',
    group   => 'user',
    mode    => '0600',
    content => template('ssh/authorized_keys.erb'),
  }
}

Most security-conscious organizations implement:

  • Automated rotation via CI/CD pipelines
  • Short-lived certificates through SSH CA
  • Ephemeral keys in containerized environments
  • Centralized key management solutions
# Example using HashiCorp Vault for dynamic SSH keys
vault write ssh/sign/my-role public_key=@$HOME/.ssh/id_rsa.pub
# Returns signed certificate valid for 24 hours

Rather than frequent rotation, consider these GDPR-compliant alternatives:

  1. SSH certificates with short validity periods
  2. Multi-factor authentication
  3. Just-in-time access systems
  4. Network-level access controls

For organizations preferring certificate-based authentication:

# Generating CA-signed SSH certificate
ssh-keygen -s ca_key -I key_id -n user1,user2 -V +90d id_rsa.pub

When dealing with strict compliance requirements like GDPR's 90-day credential rotation policy, traditional SSH key management becomes problematic. Unlike password changes which can be enforced programmatically, SSH keys require a more sophisticated approach since:

  • Passphrases on existing keys cannot be programmatically changed
  • Key pairs need complete regeneration
  • Public key distribution across multiple servers must be synchronized

Here are three viable approaches to automate SSH key rotation:

Option 1: Scripted Key Rotation


#!/bin/bash
# Generate new key pair
ssh-keygen -t ed25519 -f ~/.ssh/new_id_ed25519 -N "ComplexPassphrase123!" -C "rotated-$(date +%Y%m%d)"

# Distribute public key to all servers (example using parallel SSH)
pssh -h server_list.txt -l admin -i "mkdir -p ~/.ssh && echo $(cat ~/.ssh/new_id_ed25519.pub) >> ~/.ssh/authorized_keys"

# Verify access before removing old key
ssh -i ~/.ssh/new_id_ed25519 server1 "echo Key rotation test successful"

# Archive old key (keep for emergency access)
mv ~/.ssh/id_ed25519 ~/.ssh/archive/id_ed25519_$(date +%Y%m%d)
mv ~/.ssh/new_id_ed25519* ~/.ssh/

Option 2: Configuration Management Tools

Puppet manifest example for automated distribution:


# modules/ssh_keys/manifests/init.pp
define ssh_keys::deploy (
  String $public_key,
  String $user
) {
  ssh_authorized_key { "${user}_key":
    ensure  => present,
    user    => $user,
    type    => 'ssh-ed25519',
    key     => $public_key,
    require => File["/home/${user}/.ssh/authorized_keys"],
  }
}

Based on discussions with security teams at major cloud providers:

  • 90-day rotation is actually more frequent than typical enterprise policies (most use 6-12 month cycles)
  • Consider implementing certificate-based SSH (more below)
  • Always maintain an emergency access key outside the rotation cycle

For large environments, consider moving to certificate-based authentication:


# On CA server:
ssh-keygen -s ca_key -I "company_ca" -n server_access -V +90d user_key.pub

# Client config:
Host *
    CertificateFile ~/.ssh/user_key-cert.pub
    IdentityFile ~/.ssh/user_key

When implementing rotation, maintain:

  • Key generation logs with timestamps
  • Signed approvals for emergency access exceptions
  • Automated validation checks for key age