1Password changed my private key upon import

Community Member

I am importing a ed25519 SSH key I generated on my Mac via CLI ages ago. I imported the key from file and input the keys password. 1Password created the new SSH key record. The public_key matches my public key, however my private key is different.

One thing I noticed is that the header of my private key file is -----BEGIN OPENSSH PRIVATE KEY----- while the header of the private key in 1Password is -----BEGIN PRIVATE KEY-----.

I tested connecting to some servers over SSH using the key in 1Password, however it does not work to connect to my SSH servers.

So did 1Password recode my key somehow away from OpenSSH?

1Password Version: 8.73
Extension Version: Not Provided
OS Version: macOs 11.6.7
Browser:_ Not Provided
Referrer: forum-search:ssh key import


  • johnpitchko
    Community Member

    I just found this post with the same issue, so it appears to be a bug?

  • mrgrain
    Community Member

    Hi, I have the same problem but the other way around. My key is BEGIN RSA PRIVATE KEY and once imported 1password turns it into BEGIN OPENSSH PRIVATE KEY.

    The key and fingerprint itself change as well. This renders 1password as a safe storage for private keys a bit useless.

  • Hi @mrgrain:

    1Password for desktop used to export keys in PKCS #8 format. Recent releases of 1Password for desktop now export using OpenSSH format. We're continuing to explore this change and consider additional ways of choosing which way you'd like to export your key, but in the mean time, if you're looking to export your key in PKCS #8 format, it's possible to do using my.1Password.com and copying your PKCS #8 format private key from there.


  • mrgrain
    Community Member

    Hi @Jack.P_1P

    Thanks for the info, that's helpful. =)

    I guess from a user perspective I'd expect 1Password to export my key exactly "as is" by default.
    Exporting in different formats sounds like a great feature, but should always be an explicit option.

  • Hey @mrgrain:

    I agree completely. I've shared your thoughts on an internal discussion we have on the topic. While I can't promise anything, as I mentioned, we're continuing to explore this change.


    ref: dev/core/core#15591

  • truist
    Community Member

    Just a "me too" report (key that was "RSA" converted to "OPENSSH"), but with a different consequence. In our case, this broke compatibility with python code we had that was trying to read the key.

    The error message was:

    ('Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).', [<OpenSSLError(code=503841036, lib=60, reason=524556, reason_text=unsupported)>])

    While googling about this, I found this StackOverflow post that suggests that this is a Mac/Linux issue.

    That also led to a way to convert one of these mangled 1password keys back to the original format.

  • cburkin
    Community Member

    Me too.

    Stored a private key for a TLS https encryption certificate. It's needed to re-install the cert on a new server, and 1Password changed mine, causing failure. Luckily still had a copy of the original.

    Is there a feature request where we can track this issue ?

  • Is there a feature request where we can track this issue ?

    There is no public issue for this that you can track, unfortunately. We'll keep you posted when we have any updates regarding this issue.

  • tannerwj
    Community Member

    Adding another "me too"

    I had a specific issue where I downloaded an AWS key and saved it to my 1Password, but when I needed to upload my key to AWS to get a password of a newly created server AWS didn't recognize the key and it failed because it was a different format. Even if I copied it from the browser it now says -----BEGIN PRIVATE KEY----- instead of -----BEGIN RSA PRIVATE KEY-----. This was very confusing until I found this thread. I would definitely prefer if it saved the key in the format provided with the option to export in different formats if selected.

  • smythg
    Community Member

    Is this problem being fixed by the work mentioned by Andi in:

    Having 1Password change your key without asking seems a real bug. A serious bug if you have not kept a copy of the key elsewhere, as you assumed 1Password would not mess with your key.

  • foeajames
    Community Member

    Just wanted to add to smythg's comment about this being a bug - we faced this issue also with SSH keys provided by clients. Thinking we were doing the right thing by importing them into 1Password under the correct credential type.

    It was extremely lucky that we had the original files shared by our clients, otherwise that would have been a very embarrassing conversation with our clients to get the SSH keys again.

    Converting information without warning is a HUGE no-no! Especially with something as sensitive as SSH keys.

    1Password - do better! I've been a customer since the early days, and this has put a cloud over whether I would recommend this product to others.

  • skpeml
    Community Member

    +1 - this is a major issue. We use tools and services that require specific key formats. Key export format options should be available; don't presume that OpenSSH format is OK. We can use the web vault workaround for now, but this IMHO this is a major oversight if you intend to promote SSH key management in this product.

  • jamesdh
    Community Member

    This is insane. I uploaded numerous RSA private keys and then went to another system and attempted to read them, only to get the error unsupported key type "RSA PRIVATE KEY" passed with the PEM. Completely confused, I opened the 1P UI and took a look and sure enough, they key is different?! Thankfully I had not yet deleted the keys on my original machine. This is NOT OK.

  • jamesdh
    Community Member
    edited October 28

    I feel like I have to be doing something wrong as this is the most basic of use cases, literally just trying to read a key I've just uploaded. It's an RSA 4096 key w/ public exponent of 65537. It's listed in the UI w/ a "key type" value of "RSA, 4096-bit", but the actual key saved is something else and once uploaded, cannot be re-exported. I'm struggling to understand how you can state support for RSA key types. It's mind blowing and honestly kind of scary that this issue has been outstanding for over a year.

  • jshafe
    Community Member

    Another +1 - this behind the scenes conversion behavior essentially makes key storage unusable. Our company just signed on with 1Password this year and this problem is both surprising and disappointing. This item should be at the very top of the priority list

  • mowen
    Community Member

    +1. Please fix this.

    My hacky workaround was to store an RSA key in a Document item type and attach my pem file but then I can't use SSH features.

  • moonpup
    Community Member

    +1 for me as well

  • danfake
    Community Member

    Upvote for this feature! I need my RSA key retrievable in the original format.