Skip to main content
July 16, 2022
Question

1Password changed my private key upon import

  • July 16, 2022
  • 22 replies
  • 3302 views

I am importing a ed25519 SSH key I generated on my Mac via CLI ages ago. I imported the key from file and input the keys password. 1Password created the new SSH key record. The public_key matches my public key, however my private key is different.

One thing I noticed is that the header of my private key file is -----BEGIN OPENSSH PRIVATE KEY----- while the header of the private key in 1Password is -----BEGIN PRIVATE KEY-----.

I tested connecting to some servers over SSH using the key in 1Password, however it does not work to connect to my SSH servers.

So did 1Password recode my key somehow away from OpenSSH?


1Password Version: 8.73
Extension Version: Not Provided
OS Version: macOs 11.6.7
Browser:_ Not Provided
Referrer: forum-search:https://1password.community/search?Search=ssh%20key%20import

22 replies

July 16, 2022

I just found https://1password.community/discussion/129033/unable-to-import-ed25519-key-created-by-puttygen-in-to-1password-or-vice-versa, so it appears to be a bug?

January 22, 2023

Hi, I have the same problem but the other way around. My key is BEGIN RSA PRIVATE KEY and once imported 1password turns it into BEGIN OPENSSH PRIVATE KEY.

The key and fingerprint itself change as well. This renders 1password as a safe storage for private keys a bit useless.

Jack_P_1P
1Password Employee
January 23, 2023

Hi @mrgrain:

1Password for desktop used to export keys in PKCS #8 format. Recent releases of 1Password for desktop now export using OpenSSH format. We're continuing to explore this change and consider additional ways of choosing which way you'd like to export your key, but in the mean time, if you're looking to export your key in PKCS #8 format, it's possible to do using my.1Password.com and copying your PKCS #8 format private key from there.

Jack

January 23, 2023

Hi @Jack_P_1P

Thanks for the info, that's helpful. =)

I guess from a user perspective I'd expect 1Password to export my key exactly "as is" by default.
Exporting in different formats sounds like a great feature, but should always be an explicit option.

Jack_P_1P
1Password Employee
January 23, 2023

Hey @mrgrain:

I agree completely. I've shared your thoughts on an internal discussion we have on the topic. While I can't promise anything, as I mentioned, we're continuing to explore this change.

Jack

ref: dev/core/core#15591

March 28, 2023

Just a "me too" report (key that was "RSA" converted to "OPENSSH"), but with a different consequence. In our case, this broke compatibility with python code we had that was trying to read the key.

The error message was:


('Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).', [<OpenSSLError(code=503841036, lib=60, reason=524556, reason_text=unsupported)>])

While googling about this, I found https://stackoverflow.com/questions/56473553/why-cant-openssl-read-an-ssh-private-key-created-by-openssh-on-osx/56488091#56488091 that suggests that this is a Mac/Linux issue.

That also led to https://serverfault.com/a/950686/376938.

April 28, 2023

Me too.

Stored a private key for a TLS https encryption certificate. It's needed to re-install the cert on a new server, and 1Password changed mine, causing failure. Luckily still had a copy of the original.

Is there a feature request where we can track this issue ?

May 26, 2023

Is there a feature request where we can track this issue ?

There is no public issue for this that you can track, unfortunately. We'll keep you posted when we have any updates regarding this issue.

June 8, 2023

Adding another "me too"

I had a specific issue where I downloaded an AWS key and saved it to my 1Password, but when I needed to upload my key to AWS to get a password of a newly created server AWS didn't recognize the key and it failed because it was a different format. Even if I copied it from the browser it now says -----BEGIN PRIVATE KEY----- instead of -----BEGIN RSA PRIVATE KEY-----. This was very confusing until I found this thread. I would definitely prefer if it saved the key in the format provided with the option to export in different formats if selected.

June 12, 2023

Is this problem being fixed by the work mentioned by Andi in:
https://1password.community/discussion/139136/cli-export-of-ssh-private-key-does-not-export-in-the-expected-format

Having 1Password change your key without asking seems a real bug. A serious bug if you have not kept a copy of the key elsewhere, as you assumed 1Password would not mess with your key.