SSH Agent: Encrypted RSA keys can't be removed from agent #1560
Description
There are major issues with encrypted RSA keys that were thrown in very late in the development cycle.
This is a high priority fix for 2.3.1.
Expected Behavior
Encrypted RSA keys are completely decrypted before doing any public key operations. This is an oversight as new OpenSSH style keys (ED25519 for default but also RSA, DSA etc.) have public key information available without decryption and it was implemented first.
Current Behavior
RSA keys are not decrypted when doing public key operations which cause the following bugs:
- Removing such key from agent through KeePassXC is not working
- Manual removal button does not work
- Automatic removal does not work, this is a big security issue
- Fingerprint and public key are invalid before key is manually decrypted
- Fingerprint is never updated to the correct one after decryption
Possible Solution
The UI needs some refactoring to do decryption when needed. Removing key from agent needs small refactors to keep the public key data of a decrypted key in memory.
Workaround for users
- If you are embedding a key file inside your database you can decrypt it before attaching the file as it provides no added security
- If you are decrypting an external key on your filesystem you can convert it to the new OpenSSH format with
ssh-keygen -o -p -f id_rsa, this also improves the encryption of your private key on disk
Steps to Reproduce (for bugs)
- Use encrypted non-OpenSSH format RSA key (default ssh-keygen format) with KeePassXC
- Try adding to agent (works)
- Try removing from agent (doesn't)
- Try remove-on-lock feature (doesn't)