Skip to main content
March 28, 2023
Question

CLI export of SSH private key does not export in the expected format.

  • March 28, 2023
  • 8 replies
  • 1092 views

I store SSH private keys in 1Password, and would like to run a command using the OP CLI to "get" or "read" a private key.

When run the following OP command:
op read op://private/'Key Name'/'Private Key'

A key is returned starting with the text:
-----BEGIN PRIVATE KEY-----

or

When run the following OP command:
op item get 'Key Name' --fields label='Private Key'

A key is returned starting with the text/key header:
-----BEGIN PRIVATE KEY-----

As I understand the a key starting with -----BEGIN PRIVATE KEY----- is in the PEM format.

However when I "Export" or "Reveal" the stored Private SSH key, using the 1Password Application (macOS) v8.10.3 a key starting with the following text/key header is returned:
----BEGIN OPENSSH PRIVATE KEY-----

As I understand the a key starting with the text/key header of ----BEGIN OPENSSH PRIVATE KEY----- is in the OPENSSH format.

How can I get the OP CLI command to be consistent behaviour to the 1Password macOS application "Export" and run a command to "get" or "read" the private key in the OPENSSH format and starting with the text/key header of ----BEGIN OPENSSH PRIVATE KEY----- ?

Is this an open bug 1Password/OP CLI?

Please advise.

OP CLI version - 2.16.0

A previous (closed) related support thread: https://1password.community/discussion/128054/how-to-export-ssh-private-key-using-cli


1Password Version: 8.10.3
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

8 replies

1Password Employee
May 26, 2023

Hi @teamwampa ! It's good that you ask. We are currently working on returning the open ssh format of private key with the CLI as well so we are more consistent with what the desktop app returns. This should be soon available in all item retrieval commands as well as in secret reference based commands. The pkcs8 format will also still be available to retrieve for backwards compatibility reasons.

All the best,
Andi

August 11, 2023

Thanks for your reply, any idea on when these updates will be released?

August 11, 2023

@teamwampa Thank you for your interest! We might have an update in the near future, but are unable to promise a date. Please stay tuned!

August 17, 2023

Hi! Is there any update on these changes?

October 19, 2023

Hi!

This issue has been reported since March 2022 and is still present (see https://1password.community/discussion/128054/how-to-export-ssh-private-key-using-cli).

@ArunV1P, can you please share an update.

Thank you.

1Password Employee
October 23, 2023

Hey @sylr, this is now supported with our new release. Download the latest CLI and use the secret reference attributes: op read op://private/Key Name/Private Key?ssh-format=openssh. Also the default returned format for op item get is OpenSSH.

All the best,
Andi

October 30, 2023

@andrew_l_1P it does work indeed!

Thanks

October 31, 2023

i have a similar issue only related to how the Ansible Plugin for 1password works.

if you use op item get item_name --vault vault_name --fields private_key --format json the key in the value field is not the openSSH Key even though it was created in 1 password as an ED25519 Key

the Ansible plugin(s) rely on the json format of the output.