ameliaikeda · February 17, 2016 13:34
diff --git a/ssh-key b/ssh-key
 #!/bin/bash
 # Use homebrew openssl, because it's built from source and up-to-date

        openssl="$(brew --prefix openssl)/bin/openssl"
        comment="Full Name <[email protected]>"
        path="${HOME}/.ssh/id_rsa"

 # Generate a 4096bit RSA key. Don't give me any bullshit about 2048 being fine. It isn't.

        key=$($openssl genrsa 4096 2> /dev/null)

 # Also generate their authorized_keys format public key for convenience.

 (cat <<END
 $key
 END
 ) | $openssl rsa -pubout > "${keypath}.pub" 2> /dev/null

 # And stick their comment in because why not
 echo " ${comment}" >> "${keypath}.pub"

 # We also need to pipe our RSA key into a PKCS#8 container without touching disk.
 # This uses PBDKF2(hmac-sha-512) with 2048 rounds by default. Could be better.
 # Once a key is derived, we encrypt with AES256 in CBC mode (could be better).
 # User will be prompted for a strong password for their PKCS#8 container. Use a manager!

 echo "You will be prompted to enter a password here."
 echo "Choose a *strong* (at least 50 character) random password to use,"
 echo "and use a damn password manager like KeePass, LastPass or 1Password."
 echo
 echo "To simplify having to enter a private key in every shell,"
 echo "use `ssh-add` on your public key in your shell's startup script and ssh-agent(1)"
 echo "will cache your decrypted key for subsequent usage."
 echo

 (cat <<END
 $key
 END
 ) | $openssl pkcs8 -topk8 -out $keypath -v2 aes-256-cbc -v2prf hmacWithSHA512 -iter 1200000
	#!/bin/bash
	# Use homebrew openssl, because it's built from source and up-to-date

	openssl="$(brew --prefix openssl)/bin/openssl"
	comment="Full Name <[email protected]>"
	path="${HOME}/.ssh/id_rsa"

	# Generate a 4096bit RSA key. Don't give me any bullshit about 2048 being fine. It isn't.

	key=$($openssl genrsa 4096 2> /dev/null)

	# Also generate their authorized_keys format public key for convenience.

	(cat <<END
	$key
	END
	) \| $openssl rsa -pubout > "${keypath}.pub" 2> /dev/null

	# And stick their comment in because why not
	echo " ${comment}" >> "${keypath}.pub"

	# We also need to pipe our RSA key into a PKCS#8 container without touching disk.
	# This uses PBDKF2(hmac-sha-512) with 2048 rounds by default. Could be better.
	# Once a key is derived, we encrypt with AES256 in CBC mode (could be better).
	# User will be prompted for a strong password for their PKCS#8 container. Use a manager!

	echo "You will be prompted to enter a password here."
	echo "Choose a strong (at least 50 character) random password to use,"
	echo "and use a damn password manager like KeePass, LastPass or 1Password."
	echo
	echo "To simplify having to enter a private key in every shell,"
	echo "use `ssh-add` on your public key in your shell's startup script and ssh-agent(1)"
	echo "will cache your decrypted key for subsequent usage."
	echo

	(cat <<END
	$key
	END
	) \| $openssl pkcs8 -topk8 -out $keypath -v2 aes-256-cbc -v2prf hmacWithSHA512 -iter 1200000