CLI export of SSH private key does not export in the expected format.

teamwampa
teamwampa
Community Member
in CLI

I store SSH private keys in 1Password, and would like to run a command using the OP CLI to "get" or "read" a private key.

When run the following OP command:
op read op://private/'Key Name'/'Private Key'

A key is returned starting with the text:
-----BEGIN PRIVATE KEY-----

or

When run the following OP command:
op item get 'Key Name' --fields label='Private Key'

A key is returned starting with the text/key header:
-----BEGIN PRIVATE KEY-----

As I understand the a key starting with -----BEGIN PRIVATE KEY----- is in the PEM format.

However when I "Export" or "Reveal" the stored Private SSH key, using the 1Password Application (macOS) v8.10.3 a key starting with the following text/key header is returned:
----BEGIN OPENSSH PRIVATE KEY-----

As I understand the a key starting with the text/key header of ----BEGIN OPENSSH PRIVATE KEY----- is in the OPENSSH format.

How can I get the OP CLI command to be consistent behaviour to the 1Password macOS application "Export" and run a command to "get" or "read" the private key in the OPENSSH format and starting with the text/key header of ----BEGIN OPENSSH PRIVATE KEY----- ?

Is this an open bug 1Password/OP CLI?

Please advise.

OP CLI version - 2.16.0

A previous (closed) related support thread: https://1password.community/discussion/128054/how-to-export-ssh-private-key-using-cli

1Password Version: 8.10.3
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • andi.t_1P
    andi.t_1P

    Hi @teamwampa ! It's good that you ask. We are currently working on returning the open ssh format of private key with the CLI as well so we are more consistent with what the desktop app returns. This should be soon available in all item retrieval commands as well as in secret reference based commands. The pkcs8 format will also still be available to retrieve for backwards compatibility reasons.

    All the best,
    Andi

  • teamwampa
    teamwampa
    Community Member

    Thanks for your reply, any idea on when these updates will be released?

  • ArunV1P
    ArunV1P

    @teamwampa Thank you for your interest! We might have an update in the near future, but are unable to promise a date. Please stay tuned!

  • untcha
    untcha
    Community Member

    Hi! Is there any update on these changes?

  • sylr
    sylr
    Community Member

    Hi!

    This issue has been reported since March 2022 and is still present (see https://1password.community/discussion/128054/how-to-export-ssh-private-key-using-cli).

    @ArunV1P, can you please share an update.

    Thank you.

  • andi.t_1P
    andi.t_1P

    Hey @sylr, this is now supported with our new release. Download the latest CLI and use the secret reference attributes: op read op://private/Key Name/Private Key?ssh-format=openssh. Also the default returned format for op item get is OpenSSH.

    All the best,
    Andi

  • sylr
    sylr
    Community Member

    @andrew.l_1P it does work indeed!

    Thanks

  • brchar
    brchar
    Community Member
    edited October 2023

    i have a similar issue only related to how the Ansible Plugin for 1password works.

    if you use op item get item_name --vault vault_name --fields private_key --format json the key in the value field is not the openSSH Key even though it was created in 1 password as an ED25519 Key

    the Ansible plugin(s) rely on the json format of the output.

This discussion has been closed.