Aegis Secure Key

Middleware requires that all personnel store SSH private keys on a FIPS 140-2 device.

Installation

Set your PIN

See ‘Changing your PIN on the quick start guide.

Format the device

Mac OSX

  • Launch Disk Utility: Applications->Utilities->Disk Utility
  • Select the Apricorn Secure device on the left side of the window (not the ‘SECURE KEY’ volume)
  • Select the ‘Erase’ tab
  • Select the ‘Format’ you want for your volume
    • Choose MS-DOS if you need to mount this device on non-Mac hosts
    • Choose Mac OS Extended if you will only be using this device on Mac hosts
  • Set the name of the device (can be changed at any time)
  • Click the ‘Erase’ button at the bottom right
  • Confirm you want to erase the device

Linux

First, unmount the device if it’s mounted. You may list mounted devices with the following command:

mount -l

Find your device in the list (Default Volume Label is SECURE KEY)

/dev/sdf1 on /media/SECURE\ KEY type ext4 (rw,nosuid,nodev,uhelper=udisks) [SECURE KEY]

Unmount the partition with the following command:

umount /dev/sdf1

We will use the fdisk utility to format the key. To find the details of your key execute the following command:

sudo fdisk -l

...
Disk /dev/sdf: 4074 MB, 4074766336 bytes
126 heads, 62 sectors/track, 1018 cylinders, total 7958528 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000b8ed9
Device Boot      Start         End      Blocks   Id  System
/dev/sdf1              62     7952615     3976277   83  Linux
...

Start fdisk with the following command:

sudo fdisk /dev/sdf

Type p to list your partitions on the key, there should only be one:

Command (m for help): p

Disk /dev/sdf: 4074 MB, 4074766336 bytes
126 heads, 62 sectors/track, 1018 cylinders, total 7958528 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00033333
Device Boot      Start         End      Blocks   Id  System
/dev/sdf1              62     7952615     3976277   83  Linux

Type d to delete the partition:

Command (m for help): d
Selected partition 1

Type n to create a new partition (default values should be fine):

Command (m for help): n
Partition type:
   p   primary (0 primary, 0 extended, 4 free)
   e   extended
Select (default p): 
Using default response p
Partition number (1-4, default 1): 
Using default value 1
First sector (2048-7958527, default 2048): 
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-7958527, default 7958527): 
Using default value 7958527

Type w to persist your changes and exit fdisk:

Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.

Create an ext4 partition with the following command using the one we just allocated:

sudo mkfs.ext4 -L [NEW VOLUME LABEL] /dev/sdf1

Windows

  • Unlock the USB device and plug it in.
    • It will be detected as a USB device.
    • Close the ‘‘AutoPlay’’ window if it opens.
  • Format the device.
    • Open the disk management utility: Start - Control - Administrative Tools - Computer Management - Disk Management
    • Right-click on the device under ‘‘Volume’’ and select: Format
    • Update the formatting parameters:
      • Enter a label, which will be part of the default path under Linux.
      • Select ‘‘NTFS’’ as the file system.
    • Click ‘‘OK’’ to start the formatting.
    • A warning will appear:
    • Click ‘‘OK’’ to accept the erasure and continue the formatting.
    • Wait until the formatting has completed, when the percentage reaches 100% and you see:
  • Assign a permanent drive letter to the device.
    • Continue using the disk management utility.
    • Right-click on the device under ‘‘Volume’’ and select: Change Drive Letter and Paths for … - Change
    • Assign the desired drive letter.
    • The following will be displayed:
    • Click ‘‘OK’’ in the ‘‘Change Drive Letter or Path’’ window.
    • A warning will appear:
    • Click ‘‘Yes’’ to complete the drive letter change.
    • Close the ‘‘AutoPlay’’ window if it opens.
  • Update other properties of the device.
    • Continue using the disk management utility.
    • Right-click on the device under ‘‘Volume’’ and select: Properties
    • On the ‘‘General’’ tab, uncheck the indexing option:
    • On the ‘‘Security’’ tab, set permissions according to your strategy.
    • Click ‘‘OK’’ to apply all changes that have been made and exit.
    • A confirmation window will appear:
    • Click ‘‘OK’’ to disable all indexing on the device (drive, subfolders and files):
  • Exit the disk management utility: File - Exit

RSA Key Generation

Mac OSX

  • Unlock the USB device and plug it in
  • Change directory to the device: cd /Volumes/<name>/
    • create a .ssh directory if it doesn’t exist: mkdir .ssh; chmod 700 .ssh
  • Generate an ssh key: ssh-keygen -t rsa -b 2048 -f .ssh/<key-name>_rsa

Linux

  • Unlock the USB device and plug it in, then mount the volume mkdir /media/ mount -t ext4 /dev/sdf1 /media/
  • Take ownership of the new volume: chown : /media/
  • Change directory to the device: cd /media/
  • Create a .ssh directory if it doesn’t exist: mkdir .ssh; chmod 700 .ssh;
  • Generate an ssh key: ssh-keygen -t rsa -b 2048 -f .ssh/_rsa

Windows

Dual Use - Windows (PuTTY) and Linux

Environment:

  • Fedora 16 with default USB mounting.
  • Key generation on Linux.
  • Key conversion on Windows for use by ‘‘PuTTY’’ ssh client.

Linux actions:

  • Mount the device:
    • Unlock the USB device and plug it in.
    • Check automatic mounting of the USB device using ‘‘df -k’’: /dev/sde ... /run/media/<username>/<Windows drive label>
    • Check that default permissions are correct (700) using ‘‘ls -l’’: drwx------ 1 <username> <username> ... <Windows drive label>/
  • Initialize directory for the keys:
    • Change directory to the device: cd /run/media/<username>/<Windows drive label>
    • Create a ‘‘ssh’’ directory if it doesn’t exist: mkdir ssh
    • Check that default permissions are correct (700) using ‘‘ls -l’’: drwx------ 1 <username> <username> ... ssh/
  • Generate a key:
    • Execute the key generation command: ssh-keygen -t rsa -b 2048 -f ssh/<key-name>_rsa
    • Check that default permissions are correct (600) using ‘‘ls -l ssh/’’:
-rw------- ... <key-name>_rsa
-rw------- ... <key-name>_rsa.pub

Windows (PuTTY) actions:

  • Unlock the USB device and plug it in.
    • It will be detected as a USB device.
    • Close the ‘‘AutoPlay’’ window if it opens.
    • Make sure the drive letter is the desired permanent value - if not, change it using the disk management utility. Example: ‘‘AEGIS (V:)’’
  • Convert the ssh key to the ‘‘PuTTY’’ key format.
    • Run the ‘‘PuTTY’’ key generation executable: puttygen.exe
    • If the ‘‘Open File - Security Warning’’ window appears, click ‘‘Run’’.
    • The ‘‘PuTTy Key Generator’’ window will appear
    • Click ‘‘Load’’, browse to the ‘‘ssh’’ directory on the ‘‘Aegis Secure Key’’ drive, and select the private key to be converted.
    • Click ‘‘Open’’.
    • The key is imported as indicated by the ‘‘PuTTygen Notice’’.
    • Click ‘‘OK’’.
    • The ‘‘PuTTy Key Generator’’ window now shows details about the imported key.
    • Enter a passphrase, click ‘‘Save private key’’, browse to the ‘‘ssh’’ directory on the ‘‘Aegis Secure Key’’ drive, and enter a ‘‘File name’’.
      Recommendation is to use the same key name with the ‘‘PuTTY’’ private key extension ‘‘.ppk’’.
    • Click ‘‘Save’’.
    • Close the ‘‘PuTTY Key Generator’’: File - Exit
    • The ‘‘ssh’’ directory on the ‘‘Aegis Secure Key’’ drive now has 3 entries for the key:
    • The ‘‘.ppk’’ version of the private key can be selected in a ‘‘PuTTY’’ ssh configuration as the ‘‘Private key file for authentication’’:

Quick Start Guide