There has been some concern regarding the security and safety of RightScale managed personal or server/instance SSH keys. This article aims to better help you secure your keys and keep your instances safe from remote threats.
There are a few things that we can do to accomplish a secure key environment between your workstation(s) and your instance(s):
1. Encrypt your own private key pair - When using v5.x RightScale (or newer) images with RightLink, we use Managed Login procedures to manage your user's SSH keys for you. We automatically generate the user's public and private key pair and we store them, and the public key material is visible under the Settings -> User Settings -> SSH menu.
As an option, you can edit this setting and provide your own key pair. You can paste in the contents of your public key that you generate, and provide a path to the private key locally on your system. When generating this key pair for your own use, we recommend encrypting it with a passphrase to keep it secure, and RightLink will then utilize your public/private generated key pair instead of the key pair we provide for you.
See also: How do I generate my own SSH key pair?
2. Use home directory or full-drive encryption - Another similar option (and best practice in general for business class machines) is to encrypt your user's home directory or even the full drive. Since we store the RightScale private key in the user's home directory, it's best if this is encrypted and secured properly to avoid any theft of the key.
3. If all else fails, rotate out your AWS SSH key pairs often - If needed, you can always rotate out your AWS SSH keys by deleting and recreating new keys from within the RightScale Dashboard under the Clouds -> (Region) -> EC2 SSH Keys menu. Once recreated, you can assign the new key to your server/instances and re-launch, though this may get a bit messy and long-winded if you have multiple servers that need a new key pair.
Ultimately, RightScale works on a trust model that extends to your workstation, so it is up to the end user to keep their workstation and private key secure. Hopefully the methods mentioned above will provide some insight and control into your SSH key management, but if you wish to discuss further our Support team is available at firstname.lastname@example.org or via the Support menu from the top-right drop down in the Dashboard.
Alternatively, if you have any other feedback or ideas regarding SSH key pair security, you are welcome to include them on our feedback tracker at http://feedback.rightscale.com and subsequently vote for the idea to be included in an upcoming release.
© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.