[I-13] Exported private keys are not protected by a passphrase?

XIII
XIII
Community Member
edited May 2022 in SSH

Until today all my SSH private keys had to be present as local files, but they were protected by a passphrase. I imported all those keys into 1Password. When I exported one (to test how that works) that resulted in a private key on my filesystem that was not protected by a passphrase :(

Would it be possible to optionally add a passphrase at export/download (and use the 1Password password generator to generate it)?


1Password Version: 80600027 Nightly
Extension Version: n/a
OS Version: macOS Big Sur 11.6.4

Comments

  • MaxRaab
    MaxRaab
    Community Member

    Imho 1Password should keep the original password. We want to store data but we don’t want to get it modified unintentionally.

  • Lachy
    Lachy
    Community Member

    The option to download a private key should at least offer some encryption options. Options provided by ssh-keygen include:

    • -a rounds (number of bcrypt_pbkdf rounds)
    • -m key_format (RFC4716, PKCS8 or PEM)
    • -Z cipher (aes256-ctr, aes256-cbc, etc.)
    • -p to prompt for a passphrase.

    1Password should at least offer some of these options, perhaps with sensible defaults. It shouldn't be left up to the user to have to manually look up the man page for ssh-keygen to encrypt it themselves.

    However, it might be reasonable if, when importing a key, it did include the original file as an attachment. But you could also do that manually if you wanted.

  • ag_tyler
    edited February 2022

    Would it be possible to optionally add a passphrase at export/download (and use the 1Password password generator to generate it)?

    Yes - this is something that we are considering and this thread is great to see as it helps to plan the best way forward.

  • alexclst
    alexclst
    Community Member

    You could also retain the passphrase for imported encrypted keys as a piece of metadata on the key in 1Password, and then default to using that passphrase again when exporting.

This discussion has been closed.