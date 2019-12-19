19/12/19/2232242 story
On June 21, 2019, support for SSH key shielding was introduced into the OpenBSD tree, from which the OpenSSH releases are derived. SSH key shielding is a measure intended to protect private keys in RAM against attacks that abuse bugs in speculative execution that current CPUs exhibit.[0] This functionality has been part of OpenSSH since the 8.1 release. SSH private keys are now being held in memory in a shielded form; keys are only unshielded when they are used and re‐shielded as soon as they are no longer in active use. When a key is shielded, it is encrypted in memory with AES‐256‐CTR; this is how it works: [...]
Its a good idea although the best application of effort might be putting your keys on the end of a USB connector. Play with the keys in a better spot, not play with the keys in a better way.
I have an use a yubico key for various auth. For some things like Amazon AWS its ridiculously simple to set up and even require for other users. Other applications somewhat harder.
I'd like to see something like that merged with watch/fitbit in some magical bluetooth manner, or NFC, perhaps. Enter my pin (lame password) by hand, push a button on my watch, away I go.
AFAIK there is no FIDO2, U2F compatible watch out there. I'd even wear a stylish sweatband wrist bracelet if necessary, if a watch would be impossible.
Its actually kinda odd that there's so many novelty flash drive containers but the only FIDO2 U2F key format is little flash drive alike thingies.