Storing ssh private key should not mean storing them unencrypted

blemasle

Hi,

Just found out that 1password now supports SSH keys, wonderful!

Trouble is, 1 password decrypts the private key and returns a unencrypted key when downloading the file. Why not decrypt the key on import to get the public key, and just offer the possibility to keep the private key encrypted ?

I'm guessing that this is done to make the ssh-agent integration work but it should be made clearer to the user that decrypting the key on import means keeping it unencrypted and more importantly gives back an unencrypted key when downloading the file. Or maybe keep the unprotected version for ssh integration, but download the original, protected one ?

If the key was protected on import, it should not be left unprotected by default when I get it back.

As a side note in my case, "copy" the private key is just completely broken and gives back a key which cannot be reused. ssh-keygen -y -f [key] returns invalid format.

So for the time being, I'll stick with secure notes. Damn, I was so thrilled when I saw that 1password added support for ssh keys :/

Regards

---

1Password Version: 8.6.1
Extension Version: Not Provided
OS Version: Windows 11 21H2 22000.556

XIII

Your entire 1Password database is encrypted, so technically they are still encrypted.

However, I agree that an encrypted export (with SSH passphrase) would be nice.

blemasle

Yes, I'm aware that the database is indeed encrypted. But when I export back a key I imported encrypted, I expect it to be encrypted as well. Instead, the key is stored unencrypted on my hard drive until I manually re-encrypt it. From my point of view this a security issue as there is no other way than to export he key unencrypted...

For the time being, the workaround I found is to do a double import.

• First, import the key file into a SSH key entry
• Second, attach the key file to that SSH key entry so it can be downloaded as is later on 🙃

davidolrik

I too would like to store it encrypted, so when I export it to the file system it will be encrypted.

It would be really nice if the key could have a password field associated in 1Password - so when I export it, that password will be used. (And when I import it, the password will be saved into 1Password)

Is it is now I will continue to import the encrypted key as a regular file so I keep the encryption.

blemasle

It would be really nice if the key could have a password field associated in 1Password - so when I export it, that password will be used. (And when I import it, the password will be saved into 1Password)

That would be awesome indeed!

The official documentation mentions

If the passphrase for your SSH key is already saved in 1Password, use Quick Access to find and copy it without needing to switch context.

I get it for the "migration" phase, but this is total non sense from an user point of view on the long term and feels kind of a hack/quirk.

floris_1P

You guys are right that the exported file should be encrypted too. This is on the roadmap, but we didn't want that to block the v1 release. And yes, the note about Quick Access is indeed targeted at the import phase, not at the export phase.

Out of curiosity: what are you using the export option for?

XIII

Out of curiosity: what are you using the export option for?

I need export for:

• the 1 key that you don't support (yet) in your agent (see previous discussions)
• making keys available in iOS Apps like Blink, Prompt, Working Copy, and Secure ShellFish.

blemasle

Great news @floris_1P !

I haven't been able to finish the setup of the ssh agent on windows yet, so at the moment I'm using the export to retrieve my private keys.

I have several use cases in mind for exporting a key

• In the case I stop using 1password, I want to be able to export my keys in a protected way.
• In the case of an urgent need without 1password installed on a machine, I want to be able to retrieve and use my keys "the old way" without having to configure ssh-agent or even install 1password. As a side note, the website does not allow the download of the attached files in my ssh key entries. So there is really no way of exporting it encrypted in the case 1password is not installed.
• There is probably more in the same general idea around the fact that 1password ssh-agent might not be available everywhere.

Anyway, glad to hear that this would be coming at some point :)

floris_1P

Thanks for the detailed descriptions!

attabui

Until there's an export feature, is there a workaround for now for reconstructing keys from the 1Password copied text?

Thinking I was being safe, I nuked the copies in ~/.ssh after adding them to 1Password. But now I need to integrate with a tool that doesn't support the agent and needs the key files. I'm hitting the same issue that @blemasle had, and am feeling silly for not checking first before ditching the hard copies, as it were.

How boned am I?

attabui

Oh wait! I misunderstood! I failed to notice the 🔽Download feature, and was able to ssh-keygen -o -p -f keyfile my way back to having an encrypted key.

MartonS1P

Glad you're issue is fixed, @attabui! Let us know if you have any other questions.