Skip to main content
July 16, 2022
Question

1Password changed my private key upon import

  • July 16, 2022
  • 22 replies
  • 3302 views

I am importing a ed25519 SSH key I generated on my Mac via CLI ages ago. I imported the key from file and input the keys password. 1Password created the new SSH key record. The public_key matches my public key, however my private key is different.

One thing I noticed is that the header of my private key file is -----BEGIN OPENSSH PRIVATE KEY----- while the header of the private key in 1Password is -----BEGIN PRIVATE KEY-----.

I tested connecting to some servers over SSH using the key in 1Password, however it does not work to connect to my SSH servers.

So did 1Password recode my key somehow away from OpenSSH?


1Password Version: 8.73
Extension Version: Not Provided
OS Version: macOs 11.6.7
Browser:_ Not Provided
Referrer: forum-search:https://1password.community/search?Search=ssh%20key%20import

22 replies

August 31, 2023

Just wanted to add to smythg's comment about this being a bug - we faced this issue also with SSH keys provided by clients. Thinking we were doing the right thing by importing them into 1Password under the correct credential type.

It was extremely lucky that we had the original files shared by our clients, otherwise that would have been a very embarrassing conversation with our clients to get the SSH keys again.

Converting information without warning is a HUGE no-no! Especially with something as sensitive as SSH keys.

1Password - do better! I've been a customer since the early days, and this has put a cloud over whether I would recommend this product to others.

September 29, 2023

+1 - this is a major issue. We use tools and services that require specific key formats. Key export format options should be available; don't presume that OpenSSH format is OK. We can use the web vault workaround for now, but this IMHO this is a major oversight if you intend to promote SSH key management in this product.

October 28, 2023

This is insane. I uploaded numerous RSA private keys and then went to another system and attempted to read them, only to get the error unsupported key type "RSA PRIVATE KEY" passed with the PEM. Completely confused, I opened the 1P UI and took a look and sure enough, they key is different?! Thankfully I had not yet deleted the keys on my original machine. This is NOT OK.

October 28, 2023

I feel like I have to be doing something wrong as this is the most basic of use cases, literally just trying to read a key I've just uploaded. It's an RSA 4096 key w/ public exponent of 65537. It's listed in the UI w/ a "key type" value of "RSA, 4096-bit", but the actual key saved is something else and once uploaded, cannot be re-exported. I'm struggling to understand how you can https://developer.1password.com/docs/ssh/manage-keys/#supported-ssh-key-types. It's mind blowing and honestly kind of scary that this issue has been outstanding for over a year.

November 8, 2023

Another +1 - this behind the scenes conversion behavior essentially makes key storage unusable. Our company just signed on with 1Password this year and this problem is both surprising and disappointing. This item should be at the very top of the priority list

November 13, 2023

+1. Please fix this.

My hacky workaround was to store an RSA key in a Document item type and attach my pem file but then I can't use SSH features.

November 13, 2023

+1 for me as well

November 15, 2023

Upvote for this feature! I need my RSA key retrievable in the original format.

December 12, 2023

Hello,
Need to use a specific format :

op read "op://Private/ssh keys/ssh key/private key?ssh-format=openssh"

ref: https://developer.1password.com/docs/cli/ssh-keys/

floris_1P
1Password Employee
February 29, 2024

@johnpitchko @mrgrain @truist @cburkin @tannerwj @smythg @foeajames @skpeml @jamesdh @jshafe @mowen Former Member @danfake

Hey everyone, thanks all for chiming in. We've made some changes to the private key export functionality: You now have control over the format your private key will be exported in. We support the OpenSSH format, PKCS#8, and PKCS#1 (if you originally imported the key in PKCS#1 format). This is available in the latest beta release and will be present in the next stable release as well.

We'd love to hear if this resolves the incompatibility issues you ran into. Apologies for the inconvenience this has caused.