Frequently Asked Questions

Why Kryptonite?
Kryptonite combines the secure key storage of a USB smart card with a familiar mobile phone interface. The Kryptonite app performs SSH signatures without revealing the private key to a paired computer. A Kryptonite SSH key can be used without modifying any servers, allowing users to secure their GitHub, AWS, and Google Cloud SSH authentication without any changes to their infrastructure. Communication with Kryptonite occurs over encrypted and signed push notifications and Bluetooth, ensuring high availability and low latency. Kryptonite also verifies and displays exactly which server is being logged in to, unlike USB solutions that do not have a user interface.
I use password-based authentication to connect to GitHub and my servers, why should I use Kryptonite?
It is well known that users reuse passwords or small variations on passwords for different services, allowing a compromise of one to cause the compromise of many. Requiring users to remember highly random passwords for every different service is unreasonable, and many passwords are brute-forceable. Finally, passwords are annoying to type every time code is pushed or you login to a server.
I keep my private key in ~/.ssh, why should I use Kryptonite?
Any application you run or install can silently read, use, and send off your private key without your knowledge. Kryptonite requires your explicit permission to use the private key and records every SSH access.
I passphrase encrypt my SSH private key, why should I use Kryptonite?
A passphrase-encrypted key is decrypted upon entry of the password and given to a running SSH agent. A user-level process or malware can use a decrypted key stored in an agent without knowledge of the user. Furthermore, the same malware can pose as an SSH agent and direct SSH to use it using the SSH_AUTH_SOCK environment variable, receiving the key in plaintext the first time it is used.
I have two-factor authentication enabled on my servers, why should I use Kryptonite?
Adding two-factor authentication to either password or public key authentication requires changes to every SSH server. Kryptonite works out of the box without any changes to a server. In some cases, such as third-party hosted services (GitHub, Bitbucket, etc.), integrating third-party two-factor is impossible. Many solutions require users to type a 6-digit passcode for every login, and others rely on a centralized server to perform the two-factor verification.
I have two-factor authentication enabled on my GitHub account. Why should I use Kryptonite?
GitHub does not enforce two-factor authentication when you push or pull code with SSH. Using Kryptonite requires access to your phone to use the SSH key.
I use a smart card (NitroKey, YubiKey, etc) to store my private key securely. Why should I use Kryptonite?
With a smart cards you can generate and store SSH keys in a separate piece of hardware connected via USB. While the private key might not be extractable from the device, users now have to purchase and carry around another piece of hardware that takes up a USB port. Configuration of the smart card occurs on the workstation itself, which may be compromised. When you approve a signature, the only information conveyed to you is a blinking light, meaning you don't know what you're actually signing.
How do I install kr on my computer?
curl https://krypt.co/kr | sh

Or install from source: github.com/kryptco/kr.
For more ways to install kr, visit https://krypt.co/install.
Does krypt.co have access to my SSH private key?
No, the SSH private key is generated on the mobile device and never leaves. Furthermore, there are no trusted third-parties and all of the Kryptonite source code is published to the public. See more.
Where can I inspect the Kryptonite source code?
The Kryptonite source code for kr, kryptonite-ios, and kryptonite-android is published at github.com/kryptco. Feel free to compile Kryptonite from source and run it on your phone and workstation.
How is the SSH private key stored on my phone?

On iOS, Kryptonite generates a 4096-bit RSA key pair using the Apple iOS Security framework or optionally an Ed25519 key pair using libsodium. Kryptonite stores the private key in the iOS Keychain with accessibility level “kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly”. To learn more about the security of Apple cryptography libaries and the Apple iOS Keychain see: https://www.apple.com/business/docs/iOS_Security_Guide.pdf.

On Android, Kryptonite generates a 3072-bit RSA key pair (because of the long secure hardware key generation time). The private key is stored in secure hardware called the Android Keystore and cannot be extracted, even by Kryptonite. The Android Keystore performs private key operations as a black box.

If the SSH private key never leaves my phone, how does it work?
The role of a private key in an SSH login is to sign the SSH handshake. When a signature is required, your workstation calls out to Kryptonite running on the paired phone with the data that must be signed. If authorized, Kryptonite performs the signature using the private key and returns only the signature to the workstation.
What happens if I lose my phone?
First make sure you remove the old SSH public key from any of your accounts. Once you have Kryptonite installed on your new phone, add the new public key to the accounts you were using SSH with before.
How does Kryptonite affect my SSH client?
Upon install, Kryptonite adds a few lines to your SSH configuration (at ~/.ssh/config) that cause SSH to offer your Kryptonite key. Your other keys will still be presented and your Kryptonite key will only be used if it has access to the service you are connecting to.
How does my phone communicate with my computer securely?
Your phone generates a session key pair and encrypts the public key to your workstation upon pairing. All communication is encrypted and authenticated using session key pairs.
Can I backup my private key?
Backing up your private key reduces its security to the security of the backup. We do not currently support backing up or extracting your private key. In the future we may add key splitting among team members or transferring your private key directly to a new phone.

Have more questions? hello@krypt.co