Convert OpenSSH ED25519 Private Key Format to PEM format

Asked 4/12, 2020 at 8:6 Answered 8/11, 2023 at 8:20

I have generated a an ED25519 SSH key pair using

ssh-keygen -t ed25519

The output of the id_ed25519 file is in OpenSSH format:

-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----

I would like to convert it to a PEM file format. If it were an RSA key pair, there would be no need for that as an RSA id_rsa key is already in a PEM file format but the ED25519 key pair is an OpenSSH format.

How can I convert this to a PEM file format?

Anaphora answered 4/12, 2020 at 8:6 Comment(5)

Did you find a solution? – Themis 19/3, 2021 at 14:40

Unfortunately no. – Anaphora 5/4, 2021 at 9:15

Nothing worked for me, so I ended up generating from scratch with OpenSSL: openssl genpkey -algorithm ed25519 -out private.pem && openssl pkey -in private.pem -pubout -out public.pem – Liechtenstein 15/12, 2022 at 22:20

OpenSSH >=9.6 is supposed to support this, but it simply does not work for me. – Razee 27/4, 2024 at 7:54

I think the build was broken github.com/openssh/openssh-portable/commit/… until March 2024. Newer releases should support converting. – Razee 27/4, 2024 at 8:3

Use

ssh-keygen -p -f path/to/your/key -m pem

to convert your key file to PEM, but be sure to make a backup of the file first.

Taking from https://github.com/pickware/github-action-ssh-agent

Breastfeed answered 16/9, 2021 at 11:43 Comment(8)

The -m pem option also works to generate a new SSH ed25519 key with PEM encoding; ssh-keygen -a 64 -t ed25519 -m pem -f youykeyname. From the man page:

Setting a format of “PEM” when generating or updating a supported private key type will cause the key to be stored in the legacy PEM private key format.

– Verbid 10/10, 2021 at 22:11

Did you check that this solution actually works? If yes, then what version of ssh-keygen were you using? For me, the version from OpenSSH 7.9p1 did not change the key format, but passphrase only. – Crocoite 25/4, 2022 at 10:18

@AntonSamsonov The Solution worked, but I dont know the version. Default Library from Ubuntu 20.04 – Breastfeed 26/4, 2022 at 5:52

According to @Gordon Davidson (security.stackexchange.com/questions/143114/…) older software won't understand the new format and some new types of content (Ed25519 keys) can only be stored in the new format. – Rife 3/5, 2022 at 18:37

with a common setup that includes setting file permissions this ends up in Saving key "path/to/your/key" failed: Permission denied. – Awning 20/4, 2023 at 21:40

-e option direct the output to the console instead of overwriting the key file – Yettie 11/9, 2023 at 17:26

@MountainX+ both of those don't work; -m pem is accepted on either a set-password or generate command but for ed25519 it is ignored and the (re)written file is actually new-format, because there does not exist a 'PEM' format (i.e. OpenSSL legacy) for ed25519. (There is a PKCS8 format for ed25519, but OpenSSH can't write it, although OpenSSL 9.6 two months ago can read it.) – Stays 8/2, 2024 at 2:26

for me this does not work? It is supposed to work in OpenSSH >=9.6, but simply does not. see also my question: superuser.com/questions/1840476/… – Razee 27/4, 2024 at 7:45

You can also use Puttygen to convert your ppk to pem.

The steps are these.

Importing your ppk private key to Puttygen
Choose RSA as the type of key to generate
Choose Conversions Menu > Export OpenSSH Key > Save
Use the saved file for your ssh tunnel identity file

Overstay answered 8/11, 2023 at 8:20 Comment(0)

-3

I think this would work:

openssl pkey -in ed25519.pem -out ed25519.pub -pubout

It does for a private key generated this way:

openssl genpkey -algorithm ed25519 > ed25519.pem

I haven't tested ssh-keygen's private key format explicitly but I would assume that it is using OpenSSL under the hood. If the private key's base64 starts with "MC", then I would say it probably would be compatible.

Historical answered 7/4, 2021 at 19:46 Comment(2)

This doesn't answer the question. The OP appears to be looking for a way to convert an ed25519 ssh key to the pem format. Most ssh keys are PEM by default iirc, but not ed25519 ssh keys. – Lied 28/5, 2021 at 22:47

@nrdxp: since OpenSSH 7.8 in 2018-08 the default is 'new format' (BEGIN/END OPENSSH PRIVATE KEY) for all keytypes; before that the default was 'PEM' (really OpenSSL legacy) for keytypes other than ed25519. Both new format and ed25519 existed only since OpenSSH 6.5 in 2014-01. – Stays 8/2, 2024 at 2:20

Recommended topics

Hot tags