1f7167e0eSDag-Erling SmørgravThis document describes the private key format for OpenSSH. 2f7167e0eSDag-Erling Smørgrav 3f7167e0eSDag-Erling Smørgrav1. Overall format 4f7167e0eSDag-Erling Smørgrav 5f7167e0eSDag-Erling SmørgravThe key consists of a header, a list of public keys, and 6f7167e0eSDag-Erling Smørgravan encrypted list of matching private keys. 7f7167e0eSDag-Erling Smørgrav 8f7167e0eSDag-Erling Smørgrav#define AUTH_MAGIC "openssh-key-v1" 9f7167e0eSDag-Erling Smørgrav 10f7167e0eSDag-Erling Smørgrav byte[] AUTH_MAGIC 11f7167e0eSDag-Erling Smørgrav string ciphername 12f7167e0eSDag-Erling Smørgrav string kdfname 13f7167e0eSDag-Erling Smørgrav string kdfoptions 14*38a52bd3SEd Maste uint32 number of keys N 15f7167e0eSDag-Erling Smørgrav string publickey1 16f7167e0eSDag-Erling Smørgrav string publickey2 17f7167e0eSDag-Erling Smørgrav ... 18f7167e0eSDag-Erling Smørgrav string publickeyN 19f7167e0eSDag-Erling Smørgrav string encrypted, padded list of private keys 20f7167e0eSDag-Erling Smørgrav 21f7167e0eSDag-Erling Smørgrav2. KDF options for kdfname "bcrypt" 22f7167e0eSDag-Erling Smørgrav 23f7167e0eSDag-Erling SmørgravThe options: 24f7167e0eSDag-Erling Smørgrav 25f7167e0eSDag-Erling Smørgrav string salt 26f7167e0eSDag-Erling Smørgrav uint32 rounds 27f7167e0eSDag-Erling Smørgrav 28f7167e0eSDag-Erling Smørgravare concatenated and represented as a string. 29f7167e0eSDag-Erling Smørgrav 30f7167e0eSDag-Erling Smørgrav3. Unencrypted list of N private keys 31f7167e0eSDag-Erling Smørgrav 32f7167e0eSDag-Erling SmørgravThe list of privatekey/comment pairs is padded with the 33f7167e0eSDag-Erling Smørgravbytes 1, 2, 3, ... until the total length is a multiple 34f7167e0eSDag-Erling Smørgravof the cipher block size. 35f7167e0eSDag-Erling Smørgrav 36f7167e0eSDag-Erling Smørgrav uint32 checkint 37f7167e0eSDag-Erling Smørgrav uint32 checkint 3819261079SEd Maste byte[] privatekey1 39f7167e0eSDag-Erling Smørgrav string comment1 4019261079SEd Maste byte[] privatekey2 41f7167e0eSDag-Erling Smørgrav string comment2 42f7167e0eSDag-Erling Smørgrav ... 43f7167e0eSDag-Erling Smørgrav string privatekeyN 44f7167e0eSDag-Erling Smørgrav string commentN 45*38a52bd3SEd Maste byte 1 46*38a52bd3SEd Maste byte 2 47*38a52bd3SEd Maste byte 3 48f7167e0eSDag-Erling Smørgrav ... 49*38a52bd3SEd Maste byte padlen % 255 50f7167e0eSDag-Erling Smørgrav 5119261079SEd Mastewhere each private key is encoded using the same rules as used for 5219261079SEd MasteSSH agent. 5319261079SEd Maste 54f7167e0eSDag-Erling SmørgravBefore the key is encrypted, a random integer is assigned 55f7167e0eSDag-Erling Smørgravto both checkint fields so successful decryption can be 56f7167e0eSDag-Erling Smørgravquickly checked by verifying that both checkint fields 57f7167e0eSDag-Erling Smørgravhold the same value. 58f7167e0eSDag-Erling Smørgrav 59f7167e0eSDag-Erling Smørgrav4. Encryption 60f7167e0eSDag-Erling Smørgrav 61f7167e0eSDag-Erling SmørgravThe KDF is used to derive a key, IV (and other values required by 62f7167e0eSDag-Erling Smørgravthe cipher) from the passphrase. These values are then used to 63f7167e0eSDag-Erling Smørgravencrypt the unencrypted list of private keys. 64f7167e0eSDag-Erling Smørgrav 65f7167e0eSDag-Erling Smørgrav5. No encryption 66f7167e0eSDag-Erling Smørgrav 67f7167e0eSDag-Erling SmørgravFor unencrypted keys the cipher "none" and the KDF "none" 68f7167e0eSDag-Erling Smørgravare used with empty passphrases. The options if the KDF "none" 69f7167e0eSDag-Erling Smørgravare the empty string. 70f7167e0eSDag-Erling Smørgrav 71*38a52bd3SEd Maste$OpenBSD: PROTOCOL.key,v 1.3 2022/07/01 04:45:50 djm Exp $ 72