SSH Client Key Protection

SSH Services

This table explains what the different services are used for, to help inform what protection settings are appropriate for the client keys for those services in a deployment.

Service Service Description


Main authority for administration of the SSH services on the HSM. This key should have the strongest protection.


nCore API service. Used by the hardserver for routine communication with the HSM.


Setup service. Used for some administration options such as factory state.


Updater service. Used for installing signed firmware upgrade packages.


Monitor service. Used for diagnostic operations such as retrieving logs with hsmadmin logs.

SSH Client Key Encryption

SSH client keys are protected by a passphrase derived from one or more inputs including machine IDs and user-supplied passphrases.

These passphrases are derived automatically by applications which use the SSH keys, and with the exception of the option of user-supplied passphrases do not prompt the user.

Available SSH Key Protection Options

The following are the supported protection options for SSH keys. Multiple options can be combined in any order.

Option Description


Per-key nonce. Ensures that the derived passphrase is unique to the key.


Fixed nonce present in the nShield client software.


System UUID. Ties the key to the local machine. On Linux, this is only readable by root. This is available on most systems.


Baseboard UUID. Ties the key to the baseboard (motherboard) of the local machine. On Linux, this is only readable by root. This may not be available on all systems.


Global nonce. Ties the key to the local OS install. The global nonce is readable only by root or Administrators and is generated the first time the option is used to protect a key.


User passphrase. The key will require a user-supplied passphrase (in addition to any other protection options specified).

User-supplied SSH Key passphrases

If a key is generated with protection by a user-supplied SSH key passphrase, there will be an interactive prompt on the console to enter and confirm the passphrase. When a key is loaded with passphrase protection, there will be an interactive prompt on the console to enter the passphrase.

To avoid interactive prompts for automation purposes, the user passphrase can be supplied using the environment variable NFAST_KEYPROT_PASS. If a user passphrase is specified for the ncoreapi service SSH key, then the environment variable is the only way to supply the passphrase as interactive prompts are disabled for the hardserver service.

Setting Protections on SSH keys

Protections are set on SSH keys when they are generated, either during hsmadmin enroll (if the keys are not already present) or during hsmadmin keys roll (if switching to a freshly generated set of SSH client keys).

Protections can be overridden using environment variables that are set in the environment of the above commands when the keys are generated. The protections for all SSH service keys can be overridden using the NFAST_KEYPROT environment variable. Individual SSH service keys can have their protections set directly using per-service environment variables as specified in the table below. If both NFAST_KEYPROT and the per-service environment variable are set, the per-service environment variable takes precedence.

Service Default Protection Environment Variable
















Permissions on SSH keys

Access to SSH keys is controlled by permissions on the directories they are created in. The key directories are created with permissions during installation of the nShield software.