1Password changed my private key upon import

+1 - this is a major issue. We use tools and services that require specific key formats. Key export format options should be available; don't presume that OpenSSH format is OK. We can use the web vault workaround for now, but this IMHO this is a major oversight if you intend to promote SSH key management in this product.

Just wanted to add to smythg's comment about this being a bug - we faced this issue also with SSH keys provided by clients. Thinking we were doing the right thing by importing them into 1Password under the correct credential type.

It was extremely lucky that we had the original files shared by our clients, otherwise that would have been a very embarrassing conversation with our clients to get the SSH keys again.

Converting information without warning is a HUGE no-no! Especially with something as sensitive as SSH keys.

1Password - do better! I've been a customer since the early days, and this has put a cloud over whether I would recommend this product to others.

Is this problem being fixed by the work mentioned by Andi in:
https://1password.community/discussion/139136/cli-export-of-ssh-private-key-does-not-export-in-the-expected-format

Having 1Password change your key without asking seems a real bug. A serious bug if you have not kept a copy of the key elsewhere, as you assumed 1Password would not mess with your key.

Adding another "me too"

I had a specific issue where I downloaded an AWS key and saved it to my 1Password, but when I needed to upload my key to AWS to get a password of a newly created server AWS didn't recognize the key and it failed because it was a different format. Even if I copied it from the browser it now says -----BEGIN PRIVATE KEY----- instead of -----BEGIN RSA PRIVATE KEY-----. This was very confusing until I found this thread. I would definitely prefer if it saved the key in the format provided with the option to export in different formats if selected.

Is there a feature request where we can track this issue ?

There is no public issue for this that you can track, unfortunately. We'll keep you posted when we have any updates regarding this issue.

Me too.

Stored a private key for a TLS https encryption certificate. It's needed to re-install the cert on a new server, and 1Password changed mine, causing failure. Luckily still had a copy of the original.

Is there a feature request where we can track this issue ?

Just a "me too" report (key that was "RSA" converted to "OPENSSH"), but with a different consequence. In our case, this broke compatibility with python code we had that was trying to read the key.

The error message was:


('Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).', [<OpenSSLError(code=503841036, lib=60, reason=524556, reason_text=unsupported)>])


While googling about this, I found https://stackoverflow.com/questions/56473553/why-cant-openssl-read-an-ssh-private-key-created-by-openssh-on-osx/56488091#56488091 that suggests that this is a Mac/Linux issue.

That also led to https://serverfault.com/a/950686/376938.

Hey @mrgrain:

I agree completely. I've shared your thoughts on an internal discussion we have on the topic. While I can't promise anything, as I mentioned, we're continuing to explore this change.

Jack

ref: dev/core/core#15591

Hi Jack_P_1P

Thanks for the info, that's helpful. =)

I guess from a user perspective I'd expect 1Password to export my key exactly "as is" by default.
Exporting in different formats sounds like a great feature, but should always be an explicit option.

Hi @mrgrain:

1Password for desktop used to export keys in PKCS #8 format. Recent releases of 1Password for desktop now export using OpenSSH format. We're continuing to explore this change and consider additional ways of choosing which way you'd like to export your key, but in the mean time, if you're looking to export your key in PKCS #8 format, it's possible to do using my.1Password.com and copying your PKCS #8 format private key from there.

Jack