1Password changed my private key upon import
I am importing a ed25519 SSH key I generated on my Mac via CLI ages ago. I imported the key from file and input the keys password. 1Password created the new SSH key record. The public_key
matches my public key, however my private key is different.
One thing I noticed is that the header of my private key file is -----BEGIN OPENSSH PRIVATE KEY-----
while the header of the private key in 1Password is -----BEGIN PRIVATE KEY-----
.
I tested connecting to some servers over SSH using the key in 1Password, however it does not work to connect to my SSH servers.
So did 1Password recode my key somehow away from OpenSSH?
1Password Version: 8.73
Extension Version: Not Provided
OS Version: macOs 11.6.7
Browser:_ Not Provided
Referrer: forum-search:ssh key import
Comments
-
I just found this post with the same issue, so it appears to be a bug?
0 -
Hi, I have the same problem but the other way around. My key is
BEGIN RSA PRIVATE KEY
and once imported 1password turns it intoBEGIN OPENSSH PRIVATE KEY
.The key and fingerprint itself change as well. This renders 1password as a safe storage for private keys a bit useless.
0 -
Hi @mrgrain:
1Password for desktop used to export keys in PKCS #8 format. Recent releases of 1Password for desktop now export using OpenSSH format. We're continuing to explore this change and consider additional ways of choosing which way you'd like to export your key, but in the mean time, if you're looking to export your key in PKCS #8 format, it's possible to do using my.1Password.com and copying your PKCS #8 format private key from there.
Jack
0 -
Hi @Jack.P_1P
Thanks for the info, that's helpful. =)
I guess from a user perspective I'd expect 1Password to export my key exactly "as is" by default.
Exporting in different formats sounds like a great feature, but should always be an explicit option.0 -
Just a "me too" report (key that was "RSA" converted to "OPENSSH"), but with a different consequence. In our case, this broke compatibility with python code we had that was trying to read the key.
The error message was:
('Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).', [<OpenSSLError(code=503841036, lib=60, reason=524556, reason_text=unsupported)>])
While googling about this, I found this StackOverflow post that suggests that this is a Mac/Linux issue.
That also led to a way to convert one of these mangled 1password keys back to the original format.
0 -
Me too.
Stored a private key for a TLS https encryption certificate. It's needed to re-install the cert on a new server, and 1Password changed mine, causing failure. Luckily still had a copy of the original.
Is there a feature request where we can track this issue ?
0 -
Is there a feature request where we can track this issue ?
There is no public issue for this that you can track, unfortunately. We'll keep you posted when we have any updates regarding this issue.
0 -
Adding another "me too"
I had a specific issue where I downloaded an AWS key and saved it to my 1Password, but when I needed to upload my key to AWS to get a password of a newly created server AWS didn't recognize the key and it failed because it was a different format. Even if I copied it from the browser it now says -----BEGIN PRIVATE KEY----- instead of -----BEGIN RSA PRIVATE KEY-----. This was very confusing until I found this thread. I would definitely prefer if it saved the key in the format provided with the option to export in different formats if selected.
0 -
Is this problem being fixed by the work mentioned by Andi in:
https://1password.community/discussion/139136/cli-export-of-ssh-private-key-does-not-export-in-the-expected-formatHaving 1Password change your key without asking seems a real bug. A serious bug if you have not kept a copy of the key elsewhere, as you assumed 1Password would not mess with your key.
0 -
Just wanted to add to smythg's comment about this being a bug - we faced this issue also with SSH keys provided by clients. Thinking we were doing the right thing by importing them into 1Password under the correct credential type.
It was extremely lucky that we had the original files shared by our clients, otherwise that would have been a very embarrassing conversation with our clients to get the SSH keys again.
Converting information without warning is a HUGE no-no! Especially with something as sensitive as SSH keys.
1Password - do better! I've been a customer since the early days, and this has put a cloud over whether I would recommend this product to others.
0 -
+1 - this is a major issue. We use tools and services that require specific key formats. Key export format options should be available; don't presume that OpenSSH format is OK. We can use the web vault workaround for now, but this IMHO this is a major oversight if you intend to promote SSH key management in this product.
2 -
This is insane. I uploaded numerous RSA private keys and then went to another system and attempted to read them, only to get the error
unsupported key type "RSA PRIVATE KEY" passed with the PEM
. Completely confused, I opened the 1P UI and took a look and sure enough, they key is different?! Thankfully I had not yet deleted the keys on my original machine. This is NOT OK.0 -
I feel like I have to be doing something wrong as this is the most basic of use cases, literally just trying to read a key I've just uploaded. It's an RSA 4096 key w/ public exponent of 65537. It's listed in the UI w/ a "key type" value of "RSA, 4096-bit", but the actual key saved is something else and once uploaded, cannot be re-exported. I'm struggling to understand how you can state support for RSA key types. It's mind blowing and honestly kind of scary that this issue has been outstanding for over a year.
0 -
Another +1 - this behind the scenes conversion behavior essentially makes key storage unusable. Our company just signed on with 1Password this year and this problem is both surprising and disappointing. This item should be at the very top of the priority list
0 -
+1. Please fix this.
My hacky workaround was to store an RSA key in a Document item type and attach my pem file but then I can't use SSH features.
0 -
+1 for me as well
0 -
Upvote for this feature! I need my RSA key retrievable in the original format.
0 -
Hello,
Need to use a specific format :op read "op://Private/ssh keys/ssh key/private key?ssh-format=openssh"
0 -
@johnpitchko @mrgrain @truist @cburkin @tannerwj @smythg @foeajames @skpeml @jamesdh @jshafe @mowen @moonpup @danfake
Hey everyone, thanks all for chiming in. We've made some changes to the private key export functionality: You now have control over the format your private key will be exported in. We support the OpenSSH format, PKCS#8, and PKCS#1 (if you originally imported the key in PKCS#1 format). This is available in the latest beta release and will be present in the next stable release as well.
We'd love to hear if this resolves the incompatibility issues you ran into. Apologies for the inconvenience this has caused.
1 -
@floris_1P Thank you so much. It's finally "almost" usable again.
One complaint though. In most cases, you want to export the private key encrypted. Unfortunately, you give this option only for OpenSSH Format, not for PKCS#8. I need to export password encrypted PKCS#8 keys.
PS: For consistency, provide this option also for the public key (openssh format and pem) please.
1