136e94dc5SPeter AvalosThis document describes the private key format for OpenSSH. 236e94dc5SPeter Avalos 336e94dc5SPeter Avalos1. Overall format 436e94dc5SPeter Avalos 536e94dc5SPeter AvalosThe key consists of a header, a list of public keys, and 636e94dc5SPeter Avalosan encrypted list of matching private keys. 736e94dc5SPeter Avalos 836e94dc5SPeter Avalos#define AUTH_MAGIC "openssh-key-v1" 936e94dc5SPeter Avalos 1036e94dc5SPeter Avalos byte[] AUTH_MAGIC 1136e94dc5SPeter Avalos string ciphername 1236e94dc5SPeter Avalos string kdfname 1336e94dc5SPeter Avalos string kdfoptions 14ee116499SAntonio Huete Jimenez uint32 number of keys N 1536e94dc5SPeter Avalos string publickey1 1636e94dc5SPeter Avalos string publickey2 1736e94dc5SPeter Avalos ... 1836e94dc5SPeter Avalos string publickeyN 1936e94dc5SPeter Avalos string encrypted, padded list of private keys 2036e94dc5SPeter Avalos 2136e94dc5SPeter Avalos2. KDF options for kdfname "bcrypt" 2236e94dc5SPeter Avalos 2336e94dc5SPeter AvalosThe options: 2436e94dc5SPeter Avalos 2536e94dc5SPeter Avalos string salt 2636e94dc5SPeter Avalos uint32 rounds 2736e94dc5SPeter Avalos 2836e94dc5SPeter Avalosare concatenated and represented as a string. 2936e94dc5SPeter Avalos 3036e94dc5SPeter Avalos3. Unencrypted list of N private keys 3136e94dc5SPeter Avalos 3236e94dc5SPeter AvalosThe list of privatekey/comment pairs is padded with the 3336e94dc5SPeter Avalosbytes 1, 2, 3, ... until the total length is a multiple 3436e94dc5SPeter Avalosof the cipher block size. 3536e94dc5SPeter Avalos 3636e94dc5SPeter Avalos uint32 checkint 3736e94dc5SPeter Avalos uint32 checkint 3850a69bb5SSascha Wildner byte[] privatekey1 3936e94dc5SPeter Avalos string comment1 4050a69bb5SSascha Wildner byte[] privatekey2 4136e94dc5SPeter Avalos string comment2 4236e94dc5SPeter Avalos ... 43*ba1276acSMatthew Dillon byte[] privatekeyN 4436e94dc5SPeter Avalos string commentN 45ee116499SAntonio Huete Jimenez byte 1 46ee116499SAntonio Huete Jimenez byte 2 47ee116499SAntonio Huete Jimenez byte 3 4836e94dc5SPeter Avalos ... 49ee116499SAntonio Huete Jimenez byte padlen % 255 5036e94dc5SPeter Avalos 5150a69bb5SSascha Wildnerwhere each private key is encoded using the same rules as used for 5250a69bb5SSascha WildnerSSH agent. 5350a69bb5SSascha Wildner 5436e94dc5SPeter AvalosBefore the key is encrypted, a random integer is assigned 5536e94dc5SPeter Avalosto both checkint fields so successful decryption can be 5636e94dc5SPeter Avalosquickly checked by verifying that both checkint fields 5736e94dc5SPeter Avaloshold the same value. 5836e94dc5SPeter Avalos 5936e94dc5SPeter Avalos4. Encryption 6036e94dc5SPeter Avalos 6136e94dc5SPeter AvalosThe KDF is used to derive a key, IV (and other values required by 6236e94dc5SPeter Avalosthe cipher) from the passphrase. These values are then used to 6336e94dc5SPeter Avalosencrypt the unencrypted list of private keys. 6436e94dc5SPeter Avalos 6536e94dc5SPeter Avalos5. No encryption 6636e94dc5SPeter Avalos 6736e94dc5SPeter AvalosFor unencrypted keys the cipher "none" and the KDF "none" 6836e94dc5SPeter Avalosare used with empty passphrases. The options if the KDF "none" 6936e94dc5SPeter Avalosare the empty string. 7036e94dc5SPeter Avalos 71*ba1276acSMatthew Dillon$OpenBSD: PROTOCOL.key,v 1.4 2024/03/30 05:56:22 djm Exp $ 72