[I-13] Exported private keys are not protected by a passphrase?
Until today all my SSH private keys had to be present as local files, but they were protected by a passphrase. I imported all those keys into 1Password. When I exported one (to test how that works) that resulted in a private key on my filesystem that was not protected by a passphrase :(
Would it be possible to optionally add a passphrase at export/download (and use the 1Password password generator to generate it)?
1Password Version: 80600027 Nightly
Extension Version: n/a
OS Version: macOS Big Sur 11.6.4
Comments
-
Imho 1Password should keep the original password. We want to store data but we don’t want to get it modified unintentionally.
0 -
The option to download a private key should at least offer some encryption options. Options provided by ssh-keygen include:
-a rounds(number of bcrypt_pbkdf rounds)-m key_format(RFC4716,PKCS8orPEM)-Z cipher(aes256-ctr,aes256-cbc, etc.)-pto prompt for a passphrase.
1Password should at least offer some of these options, perhaps with sensible defaults. It shouldn't be left up to the user to have to manually look up the man page for ssh-keygen to encrypt it themselves.
However, it might be reasonable if, when importing a key, it did include the original file as an attachment. But you could also do that manually if you wanted.
0 -
Would it be possible to optionally add a passphrase at export/download (and use the 1Password password generator to generate it)?
Yes - this is something that we are considering and this thread is great to see as it helps to plan the best way forward.
0 -
You could also retain the passphrase for imported encrypted keys as a piece of metadata on the key in 1Password, and then default to using that passphrase again when exporting.
0
