1be8a7e88SmarkusThis document describes the private key format for OpenSSH. 2be8a7e88Smarkus 3be8a7e88Smarkus1. Overall format 4be8a7e88Smarkus 5be8a7e88SmarkusThe key consists of a header, a list of public keys, and 6be8a7e88Smarkusan encrypted list of matching private keys. 7be8a7e88Smarkus 8be8a7e88Smarkus#define AUTH_MAGIC "openssh-key-v1" 9be8a7e88Smarkus 10be8a7e88Smarkus byte[] AUTH_MAGIC 11be8a7e88Smarkus string ciphername 12be8a7e88Smarkus string kdfname 13be8a7e88Smarkus string kdfoptions 1479d5a619Sdjm uint32 number of keys N 15be8a7e88Smarkus string publickey1 16be8a7e88Smarkus string publickey2 17be8a7e88Smarkus ... 18be8a7e88Smarkus string publickeyN 19be8a7e88Smarkus string encrypted, padded list of private keys 20be8a7e88Smarkus 21be8a7e88Smarkus2. KDF options for kdfname "bcrypt" 22be8a7e88Smarkus 23be8a7e88SmarkusThe options: 24be8a7e88Smarkus 25be8a7e88Smarkus string salt 26be8a7e88Smarkus uint32 rounds 27be8a7e88Smarkus 28be8a7e88Smarkusare concatenated and represented as a string. 29be8a7e88Smarkus 30be8a7e88Smarkus3. Unencrypted list of N private keys 31be8a7e88Smarkus 32be8a7e88SmarkusThe list of privatekey/comment pairs is padded with the 33be8a7e88Smarkusbytes 1, 2, 3, ... until the total length is a multiple 34be8a7e88Smarkusof the cipher block size. 35be8a7e88Smarkus 36be8a7e88Smarkus uint32 checkint 37be8a7e88Smarkus uint32 checkint 38d16e26e7Sdjm byte[] privatekey1 39be8a7e88Smarkus string comment1 40d16e26e7Sdjm byte[] privatekey2 41be8a7e88Smarkus string comment2 42be8a7e88Smarkus ... 43*5c190148Sdjm byte[] privatekeyN 44be8a7e88Smarkus string commentN 4579d5a619Sdjm byte 1 4679d5a619Sdjm byte 2 4779d5a619Sdjm byte 3 48be8a7e88Smarkus ... 4979d5a619Sdjm byte padlen % 255 50be8a7e88Smarkus 51d16e26e7Sdjmwhere each private key is encoded using the same rules as used for 52d16e26e7SdjmSSH agent. 53d16e26e7Sdjm 54be8a7e88SmarkusBefore the key is encrypted, a random integer is assigned 55be8a7e88Smarkusto both checkint fields so successful decryption can be 56be8a7e88Smarkusquickly checked by verifying that both checkint fields 57be8a7e88Smarkushold the same value. 58be8a7e88Smarkus 59be8a7e88Smarkus4. Encryption 60be8a7e88Smarkus 61be8a7e88SmarkusThe KDF is used to derive a key, IV (and other values required by 62be8a7e88Smarkusthe cipher) from the passphrase. These values are then used to 63be8a7e88Smarkusencrypt the unencrypted list of private keys. 64be8a7e88Smarkus 65be8a7e88Smarkus5. No encryption 66be8a7e88Smarkus 67be8a7e88SmarkusFor unencrypted keys the cipher "none" and the KDF "none" 68be8a7e88Smarkusare used with empty passphrases. The options if the KDF "none" 69be8a7e88Smarkusare the empty string. 70be8a7e88Smarkus 71*5c190148Sdjm$OpenBSD: PROTOCOL.key,v 1.4 2024/03/30 05:56:22 djm Exp $ 72