[I-13] Exported private keys are not protected by a passphrase?

You could also retain the passphrase for imported encrypted keys as a piece of metadata on the key in 1Password, and then default to using that passphrase again when exporting.

Would it be possible to optionally add a passphrase at export/download (and use the 1Password password generator to generate it)?

Yes - this is something that we are considering and this thread is great to see as it helps to plan the best way forward.

The option to download a private key should at least offer some encryption options. Options provided by ssh-keygen include:

• -a rounds (number of bcrypt_pbkdf rounds)
• -m key_format (RFC4716, PKCS8 or PEM)
• -Z cipher (aes256-ctr, aes256-cbc, etc.)
• -p to prompt for a passphrase.

1Password should at least offer some of these options, perhaps with sensible defaults. It shouldn't be left up to the user to have to manually look up the man page for ssh-keygen to encrypt it themselves.

However, it might be reasonable if, when importing a key, it did include the original file as an attachment. But you could also do that manually if you wanted.

Imho 1Password should keep the original password. We want to store data but we don’t want to get it modified unintentionally.