How to convert SSH keys between SSH2 (SECSH) and OpenSSH formats

Public-key authentication depends on compatible key formats between client tools and servers. Converting an SSH public key between OpenSSH and SSH2 (SECSH) formats enables reuse of the same key with different clients, appliances, and managed services.

The ssh-keygen utility supports exporting an OpenSSH public key to SSH2 format with the ‑e option and importing an SSH2 public key back to OpenSSH format with the ‑i option. These conversions operate on the key data and leave the original key files unchanged, which makes it safe to write the converted result to a separate file.

Key conversions must be handled carefully to avoid exposing sensitive private keys or breaking existing access. Focusing on public key files (usually with a .pub extension) reduces risk, and verifying the converted file type ensures the resulting key matches the expected format on Linux, macOS, and Windows 11 environments.

Related: How to convert an SSH2 public Key to OpenSSH format
Related: How to copy an SSH public key to a server

Steps to convert SSH keys between SSH2 (SECSH) and OpenSSH formats:

  1. Launch a terminal on the system where the SSH key resides.
  2. Create an SSH key pair if no existing key is available. 
    $ ssh-keygen -t rsa -b 3072 -f ~/.ssh/id_rsa -N ""
Generating public/private rsa key pair.
Your identification has been saved in /home/user/.ssh/id_rsa
Your public key has been saved in /home/user/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:GwnL1oVp39uF89fMART8hvrbOEGRLxasAL1FL9FmjoY user@host
The key's randomart image is:
+---[RSA 3072]----+
|       .o .o+oo  |
|         = .+X   |
|      . + *.*o*  |
|     . = E =.*.= |
|      + S o = =..|
|     .   o . + *o|
|        .   o o *|
|             oo .|
|             oo. |
+----[SHA256]-----+

    Related: How to generate SSH key pairs

    ssh-keygen creates a key pair in OpenSSH format by default. Omit the -N "" option to set a passphrase interactively.

  3. Locate the public key file that requires conversion. 
    $ ls ~/.ssh/id_rsa.pub
/home/user/.ssh/id_rsa.pub

    Public key files typically use the .pub extension, while private key files commonly have no extension.

  4. Inspect the key file type to confirm the current format. 
    $ file ~/.ssh/id_rsa.pub
/home/user/.ssh/id_rsa.pub: OpenSSH RSA public key
  5. Export the OpenSSH public key to SSH2 (SECSH) format. 
    $ ssh-keygen -e -f ~/.ssh/id_rsa.pub
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "3072-bit RSA, converted by user@host from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAABgQCwRuYw1HVSLMrXVLAmrRgpmtN+jZjf7daTH1QgyF
a6OH3+YABi6s39cJZC0Zqm/WWpt162As7BGyGivREffG65ini3O3F6CpSGqTnuxMLKk0m7
YoRfxHTrSYvk+adbHhXUnNE35WebM5gldw3saOeSKtGP7PiJXXEewlUApnXflazY6CJPJi
9LgYANB4MFUJfkuM6il4le6lJZpze5ZHZ/yv/EsHq2TnXkwq8rYu3yRvjdIj+O11ukqF3W
pTE1LeJAHfV0431tuDQiPen7tNzj7lBh35AWU9h3sH1CtY8u2ElJzKz/HndtYFf5zW1Zi1
qxMidIOwJKV/r5R5bci02NWh0lkSXnETy40JXZCg10ZnRHyjztQltSFy8TnIUbCKEB0SAI
lBNWUlQXZ8EdRNhK5H3i9OltjYyxItlXEL6hhWW/uDkNf5iQoDfraUnX8aPVYnhQFtvfmH
NS/f1rqvirgv9SA9JHKbc4QDMl1MlwJQvJeVn7OB2tjmtbx1noUDc=
---- END SSH2 PUBLIC KEY ----

    The ‑e option exports an OpenSSH key to SSH2 (SECSH) public key format.

  6. Save the converted SSH2 public key to a separate file. 
    $ ssh-keygen -e -f ~/.ssh/id_rsa.pub > id_rsa_ssh2.pub

    Writing the converted key to a new file keeps the original key intact for existing deployments.

  7. Import the SSH2 public key back into OpenSSH format when needed. 
    $ ssh-keygen -i -f id_rsa_ssh2.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwRuYw1HVSLMrXVLAmrRgpmtN+jZjf7daTH1QgyFa6OH3+YABi6s39cJZC0Zqm/WWpt162As7BGyGivREffG65ini3O3F6CpSGqTnuxMLKk0m7YoRfxHTrSYvk+adbHhXUnNE35WebM5gldw3saOeSKtGP7PiJXXEewlUApnXflazY6CJPJi9LgYANB4MFUJfkuM6il4le6lJZpze5ZHZ/yv/EsHq2TnXkwq8rYu3yRvjdIj+O11ukqF3WpTE1LeJAHfV0431tuDQiPen7tNzj7lBh35AWU9h3sH1CtY8u2ElJzKz/HndtYFf5zW1Zi1qxMidIOwJKV/r5R5bci02NWh0lkSXnETy40JXZCg10ZnRHyjztQltSFy8TnIUbCKEB0SAIlBNWUlQXZ8EdRNhK5H3i9OltjYyxItlXEL6hhWW/uDkNf5iQoDfraUnX8aPVYnhQFtvfmHNS/f1rqvirgv9SA9JHKbc4QDMl1MlwJQvJeVn7OB2tjmtbx1noUDc=

    The ‑i option imports an SSH2 public key into OpenSSH public key format.

  8. Save the imported OpenSSH public key to a new file for use with OpenSSH servers. 
    $ ssh-keygen -i -f id_rsa_ssh2.pub > id_rsa_openssh.pub
  9. Verify the converted key file type after the import. 
    $ file ~/id_rsa_openssh.pub
/home/user/id_rsa_openssh.pub: OpenSSH RSA public key

    Confirming the file type ensures the key matches the expected format before configuring authorized keys or client profiles.