Protect SSH Private Keys with Passwords or Encryption
Ensure SSH keys have a password or are encrypted to prevent unauthorised access.
Plain language
SSH private keys are like the master keys for accessing your computer systems remotely. If these keys fall into the wrong hands, someone could break in and control your systems. Protecting these keys with passwords or encryption is crucial to keep your digital doors locked and prevent unauthorised access.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
SSH private keys are protected with a password or a key encryption key.
Why it matters
If SSH private keys are not protected with a passphrase or encryption, attackers can steal them and gain remote access, leading to compromise and data loss.
Operational notes
Audit where SSH private keys are stored and enforce passphrases or key encryption; restrict file permissions and rotate keys when exposure is suspected.
Implementation tips
- IT team should ensure every SSH private key is secured: Require that all SSH keys used within the organisation are either password-protected or encrypted. This can be done by configuring the key generation process to include a passphrase, which can be a memorable but complex password.
- System administrators must regularly audit key access: Regular checks should be conducted to verify which team members have access to SSH keys and ensure they are aware of the importance of protecting them with passwords. Use an inventory tool to list all keys and their current security status.
- Management should promote strong passphrase policies: Educate employees on creating strong, memorable passwords for SSH keys. Encourage using a combination of letters, numbers, and symbols, and recommend password managers to store them securely.
- Procurement or IT should source secure storage solutions: Invest in hardware or software solutions that securely store and manage SSH keys. This can include encrypted USB devices or key management systems that store passwords securely.
- Policy makers need to define and document SSH key handling policies: Create comprehensive policies that define how SSH keys should be generated, stored, and used. Ensure these policies are reviewed and updated regularly, and communicate them to all relevant team members.
Audit / evidence tips
-
Askdocumentation on SSH key management policies: Request to see the written policies that describe how SSH keys are managed and protected
-
Aska current inventory of SSH keys: Request a list of all SSH keys currently in use within the organisation
Goodshows each key with a corresponding protection status
-
Asktraining records for SSH key handling: Request evidence of any training sessions conducted on SSH key management
Goodincludes recent training sessions with thorough coverage of password protection or encryption topics
-
Aska demonstration of SSH key creation: Request a step-by-step demonstration of how new SSH keys are created, focusing on the inclusion of passwords or encryption
Goodshows secure processes with a clear emphasis on protection
-
Asklogs of key usage audits: Request records of recent audits or checks on SSH key usage and protection
Goodincludes regular audit logs with resolved issues and documented corrective actions
Cross-framework mappings
How ISM-1449 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1449 requires SSH private keys to be protected with a password (passphrase) or encrypted with a key encryption key to prevent unautho... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.17 | ISM-1449 requires SSH private keys to be protected with a password or encryption so that possession of the key file alone is insufficient... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.3 | ISM-1449 requires encryption/passphrase protection for SSH private keys to reduce the impact of key theft or copying | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.