macOS may generate SSH private keys as BEGIN OPENSSH PRIVATE KEY
instead of BEGIN RSA PRIVATE KEY
requiring conversion before it can be used for decrypting the EC2 data.
FEATURE_REQUEST
It would be great if someone could add a detection of the OpenSSH private key format and either warn the user with a link to this issue or a section of the README or offer to help them resolve it by giving them the copy/backup commands and the in-place conversion of their key.
Confirm this is your issue
If you think you have this issue or see similar error messages to below, run head -1 ~/.ssh/id_rsa
and if you see the BEGIN OPENSSH PRIVATE KEY
you can jump to the fix/workaround below. If you see BEGIN RSA PRIVATE KEY
it is more likely that you have forgotten your passphrase or typed it wrong, or you may have multiple keys in your ~/.ssh
folder and you are using the wrong one.
LibreSSL error
unable to load Private Key
4468076140:error:09FFF06C:PEM routines:CRYPTO_internal:no start line:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.140.1/libressl-2.8/crypto/pem/pem_lib.c:684:Expecting: ANY PRIVATE KEY
OpenSSL 1.1 error
unable to load Private Key
4639202752:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
After finally noticing this when trying to use iconv
to attempt to convert from UTF-8 to ASCII or vice versa, I was able to find some references to the BEGIN OPENSSH PRIVATE KEY
issue.
Fixing the issue
The fix turned out to be pretty straightforward, you just need to convert from the OpenSSH format back to the RSA format.
Copy file to a backup and not just move in case something goes wrong or if we want to use a different passphrase for the converted file since we'll convert/update the id_rsa
in place.
cp ~/.ssh/id_rsa ~/.ssh/id_rsa_openssh
This command will prompt you for the existing passphrase and then a new one, you can use the same one again, as it only controls access (decrypting) of the secret key, it does NOT affect the contents of the key itself (which is what anyone using your public key has encrypted the data against).
ssh-keygen -p -m PEM -f ~/.ssh/id_rsa
Now you should be able to actually perform any of the decryption methods with this key.
You can verify it is in the correct format by running head -1 ~/.ssh/id_rsa
and looking for the BEGIN RSA PRIVATE KEY
line.
If you also want to convert your public key from the ssh-rsa
base64 encoded version to a PEM/RSA PUBLIC KEY
format you can use a command like the one below. You might need to do this if you are uploading a key to a service/site that only understands the RSA PUBLIC KEY
format and not the OpenSSH one, something like AWS OpsWorks, though I'm sure they have supported the OpenSSH style for a while.
This will prompt you for the passphrase of your private key to get the correct output for your public key and specifying PEM
will produce the RSA PUBLIC KEY
style output.
ssh-keygen -f ~/.ssh/id_rsa -e -m PEM > ~/.ssh/id_rsa.pem
This conversion is documented in man ssh-keygen
under the -m
argument.
-m key_format
Specify a key format for key generation, the -i (import), -e (export) conversion options, and the -p change passphrase operation. The latter may be
used to convert between OpenSSH private key and PEM private key formats. The supported key formats are: ``RFC4716'' (RFC 4716/SSH2 public or pri-
vate key), ``PKCS8'' (PKCS8 public or private key) or ``PEM'' (PEM public key). By default OpenSSH will write newly-generated private keys in its
own format, but when converting public keys for export the default format is ``RFC4716''. Setting a format of ``PEM'' when generating or updating a
supported private key type will cause the key to be stored in the legacy PEM private key format.
Note:
The latter (meaning -p) may be used to convert between OpenSSH private key and PEM private key formats.