Manage SSH Keys

This topic describes how to manage SSH Keys.

Technical specifications

The following table lists the technical specifications that are relevant to SSH Key management:

Technical Specification

Supported values

SSH server on target machine


Private Key format

OpenSSH (PEM), Putty, Tectia

Key length

1024, 2048, 4096, 8192 bits

Note: When generating a key of 8192 bits, adjust the platform timeout to 15 minutes due to the time it will take to generate a key this long.

Key encryption


Public Key file

The path of the public key on the target machine. The default value is ~/.ssh/authorized_keys.

Note: If this path does not exist, the SSH Key Manager creates it automatically with the following permissions:

  • .ssh folder – 700
  • authorized_keys file – 600

Rotate SSH keys

The SSH Key Manager generates new random SSH Key pair and updates the public SSH Key on target machines. The new private SSH key is then stored in the Digital Vault where it benefits from all accessibility and security features of the Digital Vault. The SSH Key Manager updates SSH Key content with no human intervention, according to the organizational Policy.

You can configure the SSH Key Manager to rotate SSH keys according to any of the following criteria:




After the SSH keys have been provisioned in the Vault.

Single use

After a single use.

Expiration period

After a predefined period of time.

Specific days

On specific days of the week.


SSH key change processes can also be initiated manually.

Verify that keys are synchronized

The SSH Key Manager can verify whether or not a private SSH key stored in the Digital Vault is synchronized with the corresponding public SSH key on remote machines. If the keys are not synchronized, they cannot be used. Therefore, whenever this happens, the SSH Key Manager can automatically reconcile the SSH Key pair and resynchronize the private SSH Key stored in the Vault with all public SSH Keys on the target servers. For details, see Reconcile SSH keys. In addition, you can configure the SSH Key Manager to send a notification to predefined users, whenever an unsychrnonized SSH Key is detected, so that they can identify the unsynchronized SSH keys and regain control over the target machine.

You can configure the SSH Key Manager  to verify SSH key content according to any of the following criteria:

Criteria Description
Expiration period After a predefined period of time.
Specific days On specific days of the week.
Specific timeframe During a predefined timeframe.
Manually SSH key verification processes can be initiated manually.

Reconcile SSH keys

The private SSH Keys stored in the Vault must be synchronized with corresponding public SSH Keys on remote devices to ensure that they are constantly available. Therefore, the CPM runs a verification process to check that the private and public SSH Key pairs are synchronized. If the verification process discovers pairs of SSH Keys that are not synchronized, it can reset the SSH Key pairs and reconcile them. This ensures that the private and public SSH Keys are resynchronized automatically, without any manual intervention.

The CPM uses a reconcile account to carry out the reconciliation operation. This account requires permission to update the public SSH Key of the target account, and can use either a password or SSH Key to authenticate to the target server.

  • The reconcile account must use a root user or a power user with root permissions.
  • If the reconcile account user authenticates to the target server with a password, on the target machine, in sshd_config, set the PasswordAuthentication parameter to yes.

You can configure the SSH Key Manager to reconcile SSH keys according to either of the following criteria:

Criteria Description


As soon as the CPM detects an SSH Key pair that is not synchronized, as part of either the verification or rotation process, it will automatically reconcile the SSH Key.

Manually SSH key change processes can be initiated manually.

Manage the same SSH key on multiple targets

A single SSH Key can be used to access multiple target systems. The same public key is distributed to each target system where a privileged account can be authenticated using the same SSH Key.

Each privileged account for each target system must be created in the Vault, and then, to ensure the use of the same SSH Key, these SSH Key accounts are grouped together. In order to identify SSH Keys that are part of the same group in the Pending accounts list, you can add the Fingerprint property to the pending accounts list columns and sort by the fingerprint. Every account that has the same fingerprint belongs to the same group.

When you create an SSH Key group, first create the group manager platform, then create or onboard the group members and link them to the group. Users who are members of the Vault Admins group can manage SSH Key group platforms.

Create platforms for multiple targets

SSH Key groups require two types of platforms. Create and define them as described below.

Define Account Groups

After the group manager platform and individual platforms have been created, define SSH Key groups. For details, see Add an account in V10 Interface.