What is a good and safe way of sharing ssh-keypairs?

I have a few key-pairs, that are used as authentication, to ssh into my servers on the Amazon cloud. I rotate those certificates weekly, manually. My question is, I need to share the certificates with some colleagues, a few on the LAN, and a few in another part of the country. What is the best practice to share the certificate? My initial thoughts were Dropbox and email. We dont host dedicated email servers with encryption and all, and dont have a VPN.

Thanks.


I doubt you're really using certificates for authentication. Almost all non-password-based SSH authentication is done with public-private key pairs, but without certificates getting involved at all. Before writing this Answer, I Googled, "ssh certificates", and the first 5 hits were from idiots erroneously referring to bare public keys (not certificates) as certificates.

Here's how SSH authentication via public-private key pairs works:

First, you generate a key pair. These are two cryptographically linked keys, where anything encrypted with one key can only be decrypted by the other, and vice-versa. One of the two keys in the pair is deemed the public key, and you don't care who sees it. In fact in most cases you WANT your public key to be published to the world, far and wide. The other key is deemed the private key, and you don't want anyone but you to get access to your private key.

In the case of SSH authentication by public-private key pair, you put your public key in the authorized_keys file in your account on the server (in this case your Amazon EC2 instance), and the server allows anyone knowing the private key that's coupled to that public key to log into the server.

Who cares if someone breaches your account on your Amazon EC2 instance and steals your public key? A public key doesn't allow them to log into anything as you, because knowing the public key doesn't allow them to know the private key, and you can't log into the account unless you have the private key that goes with the public key that's in the account.

You only need to change your SSH public keys on your Amazon EC2 instance when your private key (on your own SSH client machine at home or at work) gets breached.

If you need your cow-orkers to be able to log into the same accounts on your EC2 instances, have them send you their SSH public keys -- via any medium, no secrecy required, since these are just their public keys, not their private keys -- and append those public keys to the authorized_keys files in the accounts on your Amazon EC2 instances. Then, you can all log into those accounts and you can all keep your private keys completely private by never sending them anywhere.


As long as you are not sharing the private key, and only the public key, you are safe to send it over the least secure communication method you can think of. It is computationally prohibitive to try to derive the private key from the public key, and will continue to be until quantum computers get their legs.

For some background, check out here.