Two factor authentication (2FA) is the way to go for authenticated access for anything than is more than a lab.

I use an Yubikey to protect my personal accounts and the password manager1 I use to maintain unique password for each service.

When it comes to use PKI on multiple machines a common problem is where to store and how to protect the access to the private key.

I read about people saving the key in a private Git, some use sync tools like Dropbox or GDrive. Some have one private key per machine, making them hard to manage.

A few weeks ago Krypt.co appeared in my Twitter timeline so I decided to try it. Here’s the result.

Enter Krypt.co

The idea behind Krypt.co is simple: store the private key on a mobile phone (iOS or Android) and have the client to send a request to the phone when the key is required to access a remote host.

The private key is generated on your phone’s secure crypto-coprocessor (iOS Secure Enclave, Android Keystore) and never leaves your device.

This is better than SMS 2FA and soft keys for many reasons.

The FAQ section on the website has details about use and installation.

How to use Krypto to access and IOS device

We need first to install kr on the computer and on the mobile phone. After that we need to pair the Krypton phone app with your computer.

To access an IOS device with key authentication we need to add the user public key to the router.

We get the public key first

kr me

And then copy the key to the router. Split the key on multiple lines, type exit when finished.

Router(config)#ip ssh pubkey-chain 
Router(conf-ssh-pubkey)#username ifconfig
Router(conf-ssh-pubkey-user)#key-string       
Router(conf-ssh-pubkey-data)#1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef       
Router(conf-ssh-pubkey-data)#1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef
Router(conf-ssh-pubkey-data)#1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef
Router(conf-ssh-pubkey-data)#1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef
Router(conf-ssh-pubkey-data)#1234567890abcdef1234567890abcdef1234567890abcdef1234
Router(conf-ssh-pubkey-data)#exit
Router(conf-ssh-pubkey-user)#exit
Router(conf-ssh-pubkey)#exit

Enable SSH and local authentication

Router(config)#line vty 0 4
Router(config-line)#transport input ssh
Router(config-line)#login local

We can optionally disable interactive login (do it after some testing)

Router(config)#no ip ssh server authenticate user password
Router(config)#no ip ssh server authenticate user keyboard

Now we can ssh to the router using the private key on the phone

ssh root@192.168.0.1
The authenticity of host '192.168.0.1 (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:1234567890abcdef1234567890abcdef.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.1' (ECDSA) to the list of known hosts.
Krypton ▶ Requesting SSH authentication from phone
Krypton ▶ Phone approval required. Respond using the Krypton app
Krypton ▶ Success. Request Allowed

Notice that we’ll receive a request on the mobile phone to approve the access.

Final Notes

The use of Krypt.co is not a solution for all use cases. I use it for my lab machines, most of them connected to a Zerotier network.

As for any product I strongly advise to read the FAQ and thoroughly evaluate if it fits in your security policy.

Remember to rotate and distribute your ssh keys periodically.


  1. Bitwarden is may favorite now [return]