Tips on Key Generation¶
When you use SFTP and other file-based data sources and sinks, it's important that the generation of encryption keys and PEM files follow guidelines to avoid runtime connection issues.
Create a PEM File¶
Prevent key password¶
Ensure that the key is not password-locked. When creating a PEM file, OpenSSH will request that you password-lock the file with a key password. As a security measure, Automation does not support sending that password for decryption purposes.
To ensure that the key is not given a password enter no text when creating the key. As in the following command, use the
-N switch with an empty value:
ssh-keygen -m PEM -f ~/.ssh/example-keyfile -N ""
Specify RSA algorithm¶
While RSA is the current default for OpenSSH, the ssh-keygen command does not manually specify it.
RSA is the only algorithm that Automation supports, so specify RSA using the
-t switch, as in the following command:
ssh-keygen -t rsa -p -m PEM -f ~/.ssh/example-keyfile -N ""
Note
At this time, Automation only supports RSA key encryption.
Use a large keysize¶
Because RSA is not safe at less than 2048 bits, you should consider adding the bits switch to your
ssh-keygen command, as in the following example:
ssh-keygen -t rsa -b 4096 -m PEM -f ~/.ssh/example-keyfile -N ""
Check key encryption¶
You can verify that your key is not encrypted by opening it and checking the header.
If the Proc-Type and DEK-Info strings exist,
your key will not work in Automation.