What is Passphrase & How to Use It?
ContentsWhat is Passphrase? It Should Be Hard to Guess Protecting a Private Key Protecting SSH keys PGP / GPG Private Key Protection
What is Passphrase?
A passphrase is similar to a password. However, a password generally refers to something used to authenticate or log into a system. A passphrase generally refers to a secret used to protect an encryption key. Commonly, an actual encryption key is derived from the passphrase and used to encrypt the protected resource.
It Should Be Hard to Guess
A good passphrase should have at least 15, preferably 20 characters and be difficult to guess. It should contain upper case letters, lower case letters, digits, and preferably at least one punctuation character. No part of it should be derivable from personal information about the user or his/her family.
Sometimes there is a need to generate random passwords or phrases automatically.
Protecting a Private Key
The purpose of the passphrase is usually to encrypt the private key. This makes the key file by itself useless to an attacker. It is not uncommon for files to leak from backups or decommissioned hardware, and hackers commonly exfiltrate files from compromised systems.
To use an encrypted key, the passphrase is also needed. In a way, they are two separate factors of authentication.
Protecting SSH keys
SSH keys are used for authenticating users in information systems. The SSH keys themselves are private keys; the private key is further encrypted using a symmetric encryption key derived from a passphrase. The key derivation is done using a hash function.
Passphrases are commonly used for keys belonging to interactive users. Their use is strongly recommended to reduce risk of keys accidentally leaking from, e.g., backups or decommissioned disk drives.
In practice, however, most SSH keys are without a passphrase. There is no human to type in something for keys used for automation. The passphrase would have to be hard-coded in a script or stored in some kind of vault, where it can be retrieved by a script. An attacker with sufficient privileges can easily fool such a system. Thus, there would be relatively little extra protection for automation.
More than 90% of all SSH keys in most large enterprises are without a passphrase. However, this depends on the organization and its security policies.
PGP / GPG Private Key Protection
Private keys used in email encryption tools like PGP are also protected in a similar way. Such applications typically use private keys for digital signing and for decrypting email messages and files.