Convert OpenSSH ED25519 Private Key Format to PEM format

Question

I have generated a an ED25519 SSH key pair using

ssh-keygen -t ed25519

The output of the id_ed25519 file is in OpenSSH format:

-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----

I would like to convert it to a PEM file format. If it were an RSA key pair, there would be no need for that as an RSA id_rsa key is already in a PEM file format but the ED25519 key pair is an OpenSSH format.

How can I convert this to a PEM file format?

Nothing worked for me, so I ended up generating from scratch with OpenSSL: `openssl genpkey -algorithm ed25519 -out private.pem && openssl pkey -in private.pem -pubout -out public.pem` — DharmaTurtle, Dec 15 '22 at 22:20

score 6 · Answer 1 · answered Sep 16 '21 at 11:43

6

Use

ssh-keygen -p -f path/to/your/key -m pem

to convert your key file to PEM, but be sure to make a backup of the file first.

Taking from https://github.com/pickware/github-action-ssh-agent

answered Sep 16 '21 at 11:43

Wolfgang Blessen

900
10
29

2

The `-m pem` option also works to generate a new SSH ed25519 key with PEM encoding; `ssh-keygen -a 64 -t ed25519 -m pem -f youykeyname`. From the man page: `Setting a format of “PEM” when generating or updating a supported private key type will cause the key to be stored in the legacy PEM private key format.` – MountainX Oct 10 '21 at 22:11
7

Did you check that this solution actually works? If yes, then what version of `ssh-keygen` were you using? For me, the version from OpenSSH 7.9p1 did not change the key format, but passphrase only. – Anton Samsonov Apr 25 '22 at 10:18
@AntonSamsonov The Solution worked, but I dont know the version. Default Library from Ubuntu 20.04 – Wolfgang Blessen Apr 26 '22 at 05:52
According to @Gordon Davidson (https://security.stackexchange.com/questions/143114/what-is-the-difference-between-pem-format-to-dsa-rsa-ecc-might-i-confuse-pem-w) older software won't understand the new format and some new types of content (Ed25519 keys) can only be stored in the new format. – bcbl001 May 03 '22 at 18:37
with a common setup that includes setting file permissions this ends up in `Saving key "path/to/your/key" failed: Permission denied.` – SCBuergel Apr 20 '23 at 21:40

score -2 · Answer 2 · answered Apr 07 '21 at 19:46

-2

I think this would work:

openssl pkey -in ed25519.pem -out ed25519.pub -pubout

It does for a private key generated this way:

openssl genpkey -algorithm ed25519 > ed25519.pem

I haven't tested ssh-keygen's private key format explicitly but I would assume that it is using OpenSSL under the hood. If the private key's base64 starts with "MC", then I would say it probably would be compatible.

answered Apr 07 '21 at 19:46

ZiggyTheHamster

873
8
14

5

This doesn't answer the question. The OP appears to be looking for a way to convert an ed25519 ssh key to the pem format. Most ssh keys are PEM by default iirc, but not ed25519 ssh keys. – nrdxp May 28 '21 at 22:47

Convert OpenSSH ED25519 Private Key Format to PEM format

2 Answers2