Forum Discussion

Former Member's avatar
Former Member
3 years ago

CLI export of SSH private key does not export in the expected format.

I store SSH private keys in 1Password, and would like to run a command using the OP CLI to "get" or "read" a private key.

When run the following OP command:
op read op://private/'Key Name'/'Private Key'

A key is returned starting with the text:
-----BEGIN PRIVATE KEY-----

or

When run the following OP command:
op item get 'Key Name' --fields label='Private Key'

A key is returned starting with the text/key header:
-----BEGIN PRIVATE KEY-----

As I understand the a key starting with -----BEGIN PRIVATE KEY----- is in the PEM format.

However when I "Export" or "Reveal" the stored Private SSH key, using the 1Password Application (macOS) v8.10.3 a key starting with the following text/key header is returned:
----BEGIN OPENSSH PRIVATE KEY-----

As I understand the a key starting with the text/key header of ----BEGIN OPENSSH PRIVATE KEY----- is in the OPENSSH format.

How can I get the OP CLI command to be consistent behaviour to the 1Password macOS application "Export" and run a command to "get" or "read" the private key in the OPENSSH format and starting with the text/key header of ----BEGIN OPENSSH PRIVATE KEY----- ?

Is this an open bug 1Password/OP CLI?

Please advise.

OP CLI version - 2.16.0

A previous (closed) related support thread: https://1password.community/discussion/128054/how-to-export-ssh-private-key-using-cli

1Password Version: 8.10.3
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

CLI

8 Replies

  • brchar's avatar
    brchar
    New Contributor
    2 years ago

    i have a similar issue only related to how the Ansible Plugin for 1password works.

    if you use op item get item_name --vault vault_name --fields private_key --format json the key in the value field is not the openSSH Key even though it was created in 1 password as an ED25519 Key

    the Ansible plugin(s) rely on the json format of the output.

  • andi_t_1P's avatar
    andi_t_1P
    Icon for 1Password Team rank1Password Team
    2 years ago

    Hey @sylr, this is now supported with our new release. Download the latest CLI and use the secret reference attributes: op read op://private/Key Name/Private Key?ssh-format=openssh. Also the default returned format for op item get is OpenSSH.

    All the best,
    Andi

  • Former Member's avatar
    Former Member
    2 years ago

    Hi!

    This issue has been reported since March 2022 and is still present (see https://1password.community/discussion/128054/how-to-export-ssh-private-key-using-cli).

    @ArunV1P, can you please share an update.

    Thank you.

  • Former Member's avatar
    Former Member
    3 years ago

    Hi! Is there any update on these changes?

  • Former Member's avatar
    Former Member
    3 years ago

    @teamwampa Thank you for your interest! We might have an update in the near future, but are unable to promise a date. Please stay tuned!

  • Former Member's avatar
    Former Member
    3 years ago

    Thanks for your reply, any idea on when these updates will be released?

  • andi_t_1P's avatar
    andi_t_1P
    Icon for 1Password Team rank1Password Team
    3 years ago

    Hi @teamwampa ! It's good that you ask. We are currently working on returning the open ssh format of private key with the CLI as well so we are more consistent with what the desktop app returns. This should be soon available in all item retrieval commands as well as in secret reference based commands. The pkcs8 format will also still be available to retrieve for backwards compatibility reasons.

    All the best,
    Andi