Skip to main content
  1. Posts/

Harnessing GitHub Public Keys for Secure SSH Access and File Encryption

·3 mins

Did you know that GitHub exposes users’ public SSH keys? This feature allows you to easily access a user’s public keys via a simple URL, providing a convenient way to share and utilize them for various purposes. In this post, we’ll explore two practical applications of this feature:

  1. Granting SSH access to a user.
  2. Encrypting files for secure communication.

Let’s dive in!

Accessing a User’s Public Keys on GitHub #

Every GitHub user’s public SSH keys are available at:

https://github.com/<username>.keys

Replace <username> with the GitHub username of the person whose public keys you want to access.

1. Granting SSH Access #

By appending a user’s public keys to your server’s authorized_keys file, you can grant them SSH access without the need to exchange keys manually.

Command #

curl https://github.com/<username>.keys >> ~/.ssh/authorized_keys

Explanation #

  • curl: A command-line tool used to transfer data from or to a server.
  • https://github.com/<username>.keys: The URL that provides the user’s public SSH keys.
  • >> ~/.ssh/authorized_keys: Appends the fetched keys to your authorized_keys file, allowing the user to authenticate using their private key.

Note: Ensure you have the appropriate permissions and trust the user before granting SSH access to your system.

2. Encrypting Files #

You can encrypt files using a user’s public key fetched directly from GitHub. This method is useful for securely sending sensitive data that only the intended recipient can decrypt.

We’ll use age, a simple, modern, and secure file encryption tool. It’s an excellent alternative to GPG, designed to be easy to use and script.

Command #

curl https://github.com/<username>.keys | age -R - -o encrypted_file.age plaintext_file

Explanation #

  • curl https://github.com/<username>.keys: Fetches the user’s public keys.
  • |: Pipes the output of curl to the next command.
  • age -R - -o encrypted_file.age plaintext_file:
    • -R -: Tells age to read recipient public keys from standard input.
    • -o encrypted_file.age: Specifies the output file name for the encrypted file.
    • plaintext_file: The file you want to encrypt.

This command encrypts plaintext_file using the recipient’s public key and saves the encrypted output as encrypted_file.age.

3. Decrypting Files #

The recipient can decrypt the encrypted file using their private key.

Command #

age -d -i ~/.ssh/id_ed25519 -o decrypted_file encrypted_file.age

Explanation #

  • age -d: Decrypt mode.
  • -i ~/.ssh/id_ed25519: Specifies the path to the private key used for decryption.
  • -o decrypted_file: Specifies the output file name for the decrypted content.
  • encrypted_file.age: The encrypted file to be decrypted.

Note: Replace ~/.ssh/id_ed25519 with the path to your private key if it’s different.

Final Thoughts #

Leveraging GitHub’s exposed public keys streamlines the process of granting SSH access and encrypting files. It simplifies key distribution and enhances security by using trusted public keys associated with a user’s GitHub account.

However, always exercise caution:

  • Security Considerations: Ensure that you trust the GitHub account and the keys you’re importing. Malicious actors could create accounts with keys to gain unauthorized access.
  • Key Management: Regularly update and manage your SSH keys on GitHub, revoking any that are no longer in use.

By harnessing these techniques, you can enhance your workflows, improve security, and simplify key management.