SSH keys are stored in different formats, primarily SSH2 and OpenSSH. When you need to use these keys for public-key authentication, it is crucial that they are in the correct format. If your key is in SSH2 format, you must convert it to OpenSSH format for it to work correctly with most servers.

The ssh-keygen tool, available on Linux, macOS, and Windows 11, allows you to convert SSH keys between these formats. Using this tool, you can ensure that your keys are properly formatted for your specific needs.

Accurate key formatting is vital for maintaining secure access to your servers. Using the correct format is necessary for proper authentication and security.

Steps to export SSH key between SSH2 (SECSH) and OpenSSH format:

  1. Launch terminal.
  2. Create an SSH key pair if you're starting up.
    $ ssh-keygen
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/user/.ssh/id_rsa): 
    Enter passphrase (empty for no passphrase): 
    Enter same passphrase again: 
    Your identification has been saved in /home/user/.ssh/id_rsa
    Your public key has been saved in /home/user/.ssh/id_rsa.pub
    The key fingerprint is:
    SHA256:56nQo6Shxw4+vcezLKSr8wXYDpNTFxMO8J70yg8gelk user@host
    The key's randomart image is:
    +---[RSA 3072]----+
    |... +.           |
    | . o o           |
    |  + o            |
    | B +             |
    |O = E   S .      |
    |oB =.  . o .     |
    |. O=o.o o o      |
    |.oo*==+o o       |
    |.+===++o.        |
    +----[SHA256]-----+

    ssh-keygen by creates a key pair in OpenSSH format by default.

  3. Locate the location of the key file that you want to convert.
    $ ls ~/.ssh/id_rsa.pub 
    /home/user/.ssh/id_rsa.pub

    Public key file normally assigned .pub extension and no extension for the private key.

  4. Check the file type of the key file.
    $ file ~/.ssh/id_rsa.pub
    /home/user/.ssh/id_rsa.pub: OpenSSH RSA public key
  5. Convert OpenSSH key to SSH2 format using ssh-keygen.
    $ ssh-keygen -e -f ~/.ssh/id_rsa.pub
    ---- BEGIN SSH2 PUBLIC KEY ----
    Comment: "3072-bit RSA, converted by user@host from OpenSSH"
    AAAAB3NzaC1yc2EAAAADAQABAAABgQCs3A3PQIlEFoBiLcor8Fbkd3ayfwyQS5elrUVsKK
    rD1lbuHfVscRGIidnrCnG9Fk9R0ZIr8/L8BCdLo2CYbQ6NQl8qaxJgnVNtzWD/akUEpChu
    +hOpnWDYgwNih1i/4FZ+gfYwWkGhwZJ5qYTNYNp3shbAByGSHLU0PEmP2j/Thlkl2uroVl
    q3BEYCKj3StB2gz/oOoDQmk3pL3IEKr19+E2jt2h2my0Rx4NLchq3posOQs23JzSJNa12U
    8Ws4qWjUL8JIl94RBlWV6j1H/krP3SddalmSvzRb+KU6aqvJqorKdZUcurFm1bV/ooteE+
    3WMVTc+N4570qc8szfd6T0nCZ7R3dY2c/xsukGQpYcus5c89+1WO0G5892/u8+MgPMpQ1P
    2+kgDxS+vjDQduzgAFlkmngvktzSucSHka6s42CZye2gvLuLR6mhW+bp3jIR0SqBbUlvy1
    Dxj88bMbSoZ6IFQ7yNnYS2Dc1oze93otKN+9Azx2C6WBDUqVf/7P8=
    ---- END SSH2 PUBLIC KEY ----
    -e  -- export key to SECSH file format
  6. Save converted OpenSSH key to file.
    $ ssh-keygen -e -f ~/.ssh/id_rsa.pub > id_rsa_ssh2.pub
  7. Convert SSH2 key to OpenSSH format using ssh-keygen.
    $ ssh-keygen -i -f id_rsa_ssh2.pub 
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCs3A3PQIlEFoBiLcor8Fbkd3ayfwyQS5elrUVsKKrD1lbuHfVscRGIidnrCnG9Fk9R0ZIr8/L8BCdLo2CYbQ6NQl8qaxJgnVNtzWD/akUEpChu+hOpnWDYgwNih1i/4FZ+gfYwWkGhwZJ5qYTNYNp3shbAByGSHLU0PEmP2j/Thlkl2uroVlq3BEYCKj3StB2gz/oOoDQmk3pL3IEKr19+E2jt2h2my0Rx4NLchq3posOQs23JzSJNa12U8Ws4qWjUL8JIl94RBlWV6j1H/krP3SddalmSvzRb+KU6aqvJqorKdZUcurFm1bV/ooteE+3WMVTc+N4570qc8szfd6T0nCZ7R3dY2c/xsukGQpYcus5c89+1WO0G5892/u8+MgPMpQ1P2+kgDxS+vjDQduzgAFlkmngvktzSucSHka6s42CZye2gvLuLR6mhW+bp3jIR0SqBbUlvy1Dxj88bMbSoZ6IFQ7yNnYS2Dc1oze93otKN+9Azx2C6WBDUqVf/7P8=
    -i  -- import key to OpenSSH format
  8. Save converted SSH2 key to file.
    $ ssh-keygen -i -f id_rsa_ssh2.pub > id_rsa_openssh.pub
  9. Check the file type of the converted key file.
    $ file id_rsa_openssh.pub
    id_rsa_openssh.pub: OpenSSH RSA public key
Discuss the article:

Comment anonymously. Login not required.