SSH algorithms and keys
Public key authentication
IAP Desktop supports the following algorithms for public key authentication:
| Key type | Default | Algorithm |
|---|---|---|
| RSA (3072 bit) | rsa-sha2-512 or rsa-sha2-256 |
|
| ECDSA NIST P-256 | ecdsa-sha2-nistp256 |
|
| ECDSA NIST P-384 | ecdsa-sha2-nistp384 |
|
| ECDSA NIST P-521 | ecdsa-sha2-nistp521 |
By default, IAP Desktop uses ecdsa-sha2-nistp384 for public key authentication.
To use a different algorithm, go to Options > SSH > Public key authentication
and change the key type.
SSH keys
IAP Desktop uses the Microsoft Software Key Storage Provider to store SSH keys and configures private keys to be non-exportable. You can list existing keys by running the following command:
certutil -csp "Microsoft Software Key Storage Provider" -key -user | findstr IAPDESKTOP_
IAP Desktop maintains at most one key per key type and Google/workforce identity federation user.
Ephemeral keys
Optionally, you can configure IAP Desktop to use an ephemeral SSH key:
- Go to Options > SSH > Public key authentication
- Set Use persistent key and store it in Windows CNG key store to disabled
When you use this configuration, IAP Desktop generates a new SSH key pair every time you launch it, and it won't store the private key anywhere.