Rotating SSH keys

Keys that have not been rotated for years at a time offer attackers opportunities to hack them. Rotation limits the lifetime of keys, reducing the period a key is available to be attacked and the amount of data that's at risk if the key is broken.

Replacing SSH keys helps limit the exposure of a possible breach.

Trust Protection Platform rotates all types of keysets. In some cases, if Trust Protection Platform doesn't have direct access to the device, after replacing private keys you will need to click Resume before Trust Protection Platform proceeds with removing old public keys.

BEST PRACTICE  Keys should be rotated periodically. It should be done on a regular schedule in order to make the planning of rotation tasks easier. Without scheduled key rotation, unknown trust relationships would only surface during a security breach, making recovery more costly. Consider scheduling key rotations using a policy.

Periodic key rotations are not necessarily required for host keysets– they only need to be rotated when a compromise has occurred.

With Trust Protection Platform, you can rotate a single keyset (including a host keyset). You can also configure folders to rotate keysets based on schedule to help ensure that keys are getting rotated according to your organization's security practices.

When an SSH keyset is externally rotated, a new keyset is created, resulting in a lack of connection with the previous keyset/trust.

IMPORTANT  When an SSH keyset is externally rotated, a new keyset is created, resulting in a lack of connection with the previous keyset/trust..

When rotating keysets, the primary goal is to never break the trust connection. That is, you don't want to replace the private key without also replacing all corresponding public keys. There are rotation stages that ensure that the trust connection is not broken. In general, the process works like this:

  1. A user clicks the Rotate Key button.
  2. The system connects to the host(s) and adds the new public key to the auth_keys folder.

  3. The system replaces the private key using the same name (old key material replaced with the new key material).

    If performing a simple rotation of the host keyset, or if Trust Protection Platform doesn't have direct access to the device (for example, self-service keys), after replacing private keys (step 3), you are prompted and need to click Resume before Trust Protection Platform proceeds with step 4. This pause is to ensure you have taken the required manual action to update the keys.

    Forced rotations and rollbacks of host keys will not be paused but will proceed automatically without showing the Resume option or requiring you to click it.

  4. The system removes the old public key from the hosts' auth_keys folder.
  5. The old private key is stored in the private key archive, so a rollback can occur, if needed.

Keyword Link IconRelated Topics