How to change the format of an SSH key file

Public-key authentication depends on compatible key formats between client tools and servers. Converting an SSH public key between OpenSSH and SSH2 (SECSH) formats enables reuse of the same key with different clients, appliances, and managed services.

The ssh-keygen utility supports exporting an OpenSSH public key to SSH2 format with the ‑e option and importing an SSH2 public key back to OpenSSH format with the ‑i option. These conversions operate on the key data and leave the original key files unchanged, which makes it safe to write the converted result to a separate file.

Key conversions must be handled carefully to avoid exposing sensitive private keys or breaking existing access. Focusing on public key files (usually with a .pub extension) reduces risk, and verifying the converted file type ensures the resulting key matches the expected format on Linux, macOS, and Windows 11 environments.

1. Launch a terminal on the system where the SSH key resides.
2. Create an SSH key pair if no existing key is available.

   $ ssh-keygen
   Generating public/private rsa key pair.
   Enter file in which to save the key (/home/user/.ssh/id_rsa): 
   Enter passphrase (empty for no passphrase): 
   Enter same passphrase again: 
   Your identification has been saved in /home/user/.ssh/id_rsa
   Your public key has been saved in /home/user/.ssh/id_rsa.pub
   The key fingerprint is:
   SHA256:56nQo6Shxw4+vcezLKSr8wXYDpNTFxMO8J70yg8gelk user@host
   The key's randomart image is:
   +---[RSA 3072]----+
   |... +.           |
   | . o o           |
   |  + o            |
   | B +             |
   |O = E   S .      |
   |oB =.  . o .     |
   |. O=o.o o o      |
   |.oo*==+o o       |
   |.+===++o.        |
   +----[SHA256]-----+

   Related: How to generate SSH key pairs

   ssh-keygen creates a key pair in OpenSSH format by default.

3. Locate the public key file that requires conversion.

   $ ls ~/.ssh/id_rsa.pub
   /home/user/.ssh/id_rsa.pub

   Public key files typically use the .pub extension, while private key files commonly have no extension.

4. Inspect the key file type to confirm the current format.

   $ file ~/.ssh/id_rsa.pub
   /home/user/.ssh/id_rsa.pub: OpenSSH RSA public key

5. Export the OpenSSH public key to SSH2 (SECSH) format.

   $ ssh-keygen -e -f ~/.ssh/id_rsa.pub
   ---- BEGIN SSH2 PUBLIC KEY ----
   Comment: "3072-bit RSA, converted by user@host from OpenSSH"
   AAAAB3NzaC1yc2EAAAADAQABAAABgQCs3A3PQIlEFoBiLcor8Fbkd3ayfwyQS5elrUVsKK
   rD1lbuHfVscRGIidnrCnG9Fk9R0ZIr8/L8BCdLo2CYbQ6NQl8qaxJgnVNtzWD/akUEpChu
   +hOpnWDYgwNih1i/4FZ+gfYwWkGhwZJ5qYTNYNp3shbAByGSHLU0PEmP2j/Thlkl2uroVl
   q3BEYCKj3StB2gz/oOoDQmk3pL3IEKr19+E2jt2h2my0Rx4NLchq3posOQs23JzSJNa12U
   8Ws4qWjUL8JIl94RBlWV6j1H/krP3SddalmSvzRb+KU6aqvJqorKdZUcurFm1bV/ooteE+
   3WMVTc+N4570qc8szfd6T0nCZ7R3dY2c/xsukGQpYcus5c89+1WO0G5892/u8+MgPMpQ1P
   2+kgDxS+vjDQduzgAFlkmngvktzSucSHka6s42CZye2gvLuLR6mhW+bp3jIR0SqBbUlvy1
   Dxj88bMbSoZ6IFQ7yNnYS2Dc1oze93otKN+9Azx2C6WBDUqVf/7P8=
   ---- END SSH2 PUBLIC KEY ----

   The ‑e option exports an OpenSSH key to SSH2 (SECSH) public key format.

6. Save the converted SSH2 public key to a separate file.

   $ ssh-keygen -e -f ~/.ssh/id_rsa.pub > id_rsa_ssh2.pub

   Writing the converted key to a new file keeps the original key intact for existing deployments.

7. Import the SSH2 public key back into OpenSSH format when needed.

   $ ssh-keygen -i -f id_rsa_ssh2.pub 
   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCs3A3PQIlEFoBiLcor8Fbkd3ayfwyQS5elrUVsKKrD1lbuHfVscRGIidnrCnG9Fk9R0ZIr8/L8BCdLo2CYbQ6NQl8qaxJgnVNtzWD/akUEpChu+hOpnWDYgwNih1i/4FZ+gfYwWkGhwZJ5qYTNYNp3shbAByGSHLU0PEmP2j/Thlkl2uroVlq3BEYCKj3StB2gz/oOoDQmk3pL3IEKr19+E2jt2h2my0Rx4NLchq3posOQs23JzSJNa12U8Ws4qWjUL8JIl94RBlWV6j1H/krP3SddalmSvzRb+KU6aqvJqorKdZUcurFm1bV/ooteE+3WMVTc+N4570qc8szfd6T0nCZ7R3dY2c/xsukGQpYcus5c89+1WO0G5892/u8+MgPMpQ1P2+kgDxS+vjDQduzgAFlkmngvktzSucSHka6s42CZye2gvLuLR6mhW+bp3jIR0SqBbUlvy1Dxj88bMbSoZ6IFQ7yNnYS2Dc1oze93otKN+9Azx2C6WBDUqVf/7P8=

   The ‑i option imports an SSH2 public key into OpenSSH public key format.

8. Save the imported OpenSSH public key to a new file for use with OpenSSH servers.

   $ ssh-keygen -i -f id_rsa_ssh2.pub > id_rsa_openssh.pub

9. Verify the converted key file type after the import.

   $ file id_rsa_openssh.pub
   id_rsa_openssh.pub: OpenSSH RSA public key

   Confirming the file type ensures the key matches the expected format before configuring authorized keys or client profiles.