Introduction: Secure SSH / SCP Connection From Raspberry Pi to Cloud Server for Backups and Updates
The purpose of this instructable is to show you how to connect automatically and securely from your Raspberry Pi to a remote cloud server ( and vice versa) in order to carry out back ups and updates etc. To do this, you use SSH key pairs which obviate the need to remember passwords and give you a more secure connection.
(CAVEAT - Don't attempt this if you are not competent in configuring Linux permissions otherwise you will make your systems more vulnerable to attack by hackers. )
1. Raspberry Pi with a command line interface (CLI) as you would see on Putty.
2. Access to a remote cloud server hosted by say OVH or DigitalOcean, with a CLI.
3. A Windows laptop or PC with Putty and PuttyGen installed.
1. You have some knowledge of Linux commands
2. You can access your remote server using conventional manual processes, e.g. FTP.
3. You will have preinstalled PuttyGen on your Windows PC
In summary, - See Figure 1
a) On your Windows PC, create a Private PPK file using PuttyGen
b) On your Windows PC, create a public PPK file using PuttyGen (this is done automatically in step a)
b) On your Windows PC,copy the Public Key from your Windows PC to the remote cloud server
d) On your Windows PC, convert the Private PPK file to an OpenSSH key using PuttyGen
e) Copy the OpenSSH key from your Windows PC to the Raspberry Pi
f) Test out access and file transfer from the Raspberry Pi to your Remote server
Step 1: A) Create a Private PPK File, B) Create a Public Key and C) Copy It to the Remote Server
To create a Private PPK file, open PuttyGen on your Windows PC. You can access PuttyGen by right clicking on the putty icon on the Windows taskbar. From the PuttyGen menu, select key then generate a key pair, select the option SSH2 -RSA key. You will be prompted to set a passphrase when you create the private key, and if you do set a passphrase, you will be asked for it during future operations.Save the private key somewhere securely on your Windows PC. You will then see the public key in the window pane as shown in Figure 2.
Next, let's transfer the public key to the remote cloud server. Open a Putty session to the remote cloud server using Putty. Let's say you have logged in as remoteuser1 then do the following on the remote cloud server CLI
cd /home/remoteuser1 (if not there already)
nano .ssh/authorized_keys (You will see an empty screen - paste the public key shown in figure 2 then save and close this file)
chmod 0700 .ssh
chmod 0600 /home/remoteuser1/.ssh/authorized_keys
Step 2: D) Convert Private PPK File to OpenSSH Key and E) Copy It to the Raspberry Pi
To convert the private key to OpenSSH , open PuttyGen and then open the private key that you created earlier - go to the Conversions option on the menu then choose Export OpenSSH key - please ensure that the file you create has the filetype .key. Save it somewhere securely then open a putty session to log into your Raspberry Pi. Copy the key file to the home directory on the Raspberry Pi of the user account you used to log onto the Raspberry Pi. Say the key is called pitobot.key then follow these steps:
sudo mv pitobot.key /home/pi/
sudo chmod 600 pitobot.key
Now you are ready to test if your installation is successful - Again, this is done from the Pi. Remember, remoteuser1 is the account on the remote cloud server in whose home directory you saved the public key, and ipaddress is the ipaddress of the remote cloud server.
Firstly from the Raspberry Pi, let's log on to the remote cloud server using Putty. Type the following commands on the Raspberry PI CLI. (If you have set a passphrase when you created a private key, you will be asked for it now.)
sudo ssh -i /home/pi/pitobot.key remoteuser1@ipaddress
This will log you into the CLI of the remote cloud server on the home directory of remoteuser1. By typing 'exit; you will return to the CLI of your Raspberry Pi.
Next, try to transfer files from the remote cloud server to the Raspberry Pi. Use the following commands: (Again, if you have set a passphrase when you created a private key, you will be asked for it now.)
sudo scp -i /home/pi/pitobot.key remoteuser1@ipaddress://var/www/html/*.* /home/pi/
This will transfer all files from the /var/www/html/ folder on the remote server to the /home/pi/ folder on your Raspberry Pi. (The colon is very important) You can of course change the order of the commands and transfer files from the Pi to the remote server.
Step 3: Security Considerations
Whilst the SSH key pair approach improves security, consider the following:
1. With SSH key pairs enabled, you should consider removing the ability for users to log on directly to the remote server (You can also access your servers using the key pairs Putty on Windows using the same key pair, and you could also consider disabling log in on your Pi as well) . Be careful if you choose to do this and don't take a big bang approach. To do this, you have to disable a few configurations in the ssh configuration file. Be very careful doing this. The commands are
And within the file make the following changes
Save, exit then restart SSH by systemctl restart ssh (This is for Debian. It might be different on different Linux distros)
2) Keep all your keys secure otherwise you risk a data breach or not having access to your servers. I recommend keeping them in a secure vault such as bitwarden.com, and restrict access to it through your access control policy.
3) The use of a passphrase improves security but it can make automation of cron jobs etc more difficult. The decision to use this and other features ought to be determined by risk assessment, for example, if you are processing personal data then you need greater / proportionate controls.