git.schokokeks.org
Repositories
Help
Report an Issue
derivepassphrase.git
Code
Commits
Branches
Tags
Suche
Strukturansicht:
34d65a6
Branches
Tags
documentation-tree
master
0.1.0
0.1.1
0.1.2
0.1.3
0.2.0
0.3.0
0.3.1
0.3.2
0.3.3
derivepassphrase.git
0.x
reference
prerequisites-ssh-key
index.html
Deployed 21da667f0ed6 to 0.x with MkDocs 1.6.1 and mike 2.1.3
Marco Ricci
commited
34d65a6
at 2024-11-28 13:52:34
index.html
Blame
History
Raw
<!doctype html> <html lang="en" class="no-js"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width,initial-scale=1"> <meta name="description" content="An almost faithful Python reimplementation of James Coglan's vault."> <meta name="author" content="Marco Ricci"> <link rel="canonical" href="https://the13thletter.info/derivepassphrase/0.x/reference/prerequisites-ssh-key/"> <link rel="prev" href="../derivepassphrase.vault/"> <link rel="next" href="../../changelog/"> <link rel="icon" href="../../assets/images/favicon.png"> <meta name="generator" content="mkdocs-1.6.1, mkdocs-material-9.5.42"> <title>Using derivepassphrase vault with an SSH key - derivepassphrase</title> <link rel="stylesheet" href="../../assets/stylesheets/main.0253249f.min.css"> <style>:root{--md-text-font:"Noto Sans";--md-code-font:"Noto Mono"}</style> <link rel="stylesheet" href="../../assets/_mkdocstrings.css"> <link rel="stylesheet" href="../../mkdocstrings_recommended_styles.css"> </head> <body dir="ltr"> <input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off"> <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off"> <label class="md-overlay" for="__drawer"></label> <div data-md-component="skip"> <a href="#prerequisites-for-using-derivepassphrase-vault-with-an-ssh-key" class="md-skip"> Skip to content </a> </div> <div data-md-component="announce"> </div> <div data-md-color-scheme="default" data-md-component="outdated" hidden> </div> <div class="md-container" data-md-component="container"> <nav class="md-tabs" aria-label="Tabs" data-md-component="tabs"> <div class="md-grid"> <ul class="md-tabs__list"> <li class="md-tabs__item"> <a href="../.." class="md-tabs__link"> Overview </a> </li> <li class="md-tabs__item"> <a href="../../tutorials/" class="md-tabs__link"> Tutorials & Examples </a> </li> <li class="md-tabs__item"> <a href="../../how-tos/" class="md-tabs__link"> How-Tos </a> </li> <li class="md-tabs__item md-tabs__item--active"> <a href="../" class="md-tabs__link"> Reference </a> </li> <li class="md-tabs__item"> <a href="../../changelog/" class="md-tabs__link"> Changelog </a> </li> </ul> </div> </nav> <main class="md-main" data-md-component="main"> <div class="md-main__inner md-grid"> <div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" > <div class="md-sidebar__scrollwrap"> <div class="md-sidebar__inner"> <nav class="md-nav md-nav--primary md-nav--lifted" aria-label="Navigation" data-md-level="0"> <label class="md-nav__title" for="__drawer"> <a href="../.." title="derivepassphrase" class="md-nav__button md-logo" aria-label="derivepassphrase" data-md-component="logo"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg> </a> derivepassphrase </label> <div class="md-nav__source"> <a href="https://github.com/the-13th-letter/derivepassphrase" title="Go to repository" class="md-source" data-md-component="source"> <div class="md-source__icon md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.6.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81"/></svg> </div> <div class="md-source__repository"> the-13th-letter/derivepassphrase </div> </a> </div> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../.." class="md-nav__link"> <span class="md-ellipsis"> Overview </span> </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_2" > <div class="md-nav__link md-nav__container"> <a href="../../tutorials/" class="md-nav__link "> <span class="md-ellipsis"> Tutorials & Examples </span> </a> <label class="md-nav__link " for="__nav_2" id="__nav_2_label" tabindex="0"> <span class="md-nav__icon md-icon"></span> </label> </div> <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_2_label" aria-expanded="false"> <label class="md-nav__title" for="__nav_2"> <span class="md-nav__icon md-icon"></span> Tutorials & Examples </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../tutorials/basic-setup-passphrase/" class="md-nav__link"> <span class="md-ellipsis"> Setting up derivepassphrase vault for three accounts, with a master passphrase </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_3" > <div class="md-nav__link md-nav__container"> <a href="../../how-tos/" class="md-nav__link "> <span class="md-ellipsis"> How-Tos </span> </a> <label class="md-nav__link " for="__nav_3" id="__nav_3_label" tabindex="0"> <span class="md-nav__icon md-icon"></span> </label> </div> <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_3_label" aria-expanded="false"> <label class="md-nav__title" for="__nav_3"> <span class="md-nav__icon md-icon"></span> How-Tos </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../how-tos/ssh-key/" class="md-nav__link"> <span class="md-ellipsis"> How to set up derivepassphrase vault with an SSH key </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" checked> <div class="md-nav__link md-nav__container"> <a href="../" class="md-nav__link "> <span class="md-ellipsis"> Reference </span> </a> <label class="md-nav__link " for="__nav_4" id="__nav_4_label" tabindex=""> <span class="md-nav__icon md-icon"></span> </label> </div> <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="true"> <label class="md-nav__title" for="__nav_4"> <span class="md-nav__icon md-icon"></span> Reference </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_2" > <label class="md-nav__link" for="__nav_4_2" id="__nav_4_2_label" tabindex=""> <span class="md-ellipsis"> Man pages </span> <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_2_label" aria-expanded="false"> <label class="md-nav__title" for="__nav_4_2"> <span class="md-nav__icon md-icon"></span> Man pages </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../derivepassphrase.1/" class="md-nav__link"> <span class="md-ellipsis"> derivepassphrase(1) </span> </a> </li> <li class="md-nav__item"> <a href="../derivepassphrase-vault.1/" class="md-nav__link"> <span class="md-ellipsis"> derivepassphrase-vault(1) </span> </a> </li> <li class="md-nav__item"> <a href="../derivepassphrase-export.1/" class="md-nav__link"> <span class="md-ellipsis"> derivepassphrase-export(1) </span> </a> </li> <li class="md-nav__item"> <a href="../derivepassphrase-export-vault.1/" class="md-nav__link"> <span class="md-ellipsis"> derivepassphrase-export-vault(1) </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_3" > <label class="md-nav__link" for="__nav_4_3" id="__nav_4_3_label" tabindex=""> <span class="md-ellipsis"> API docs: Module derivepassphrase </span> <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_3_label" aria-expanded="false"> <label class="md-nav__title" for="__nav_4_3"> <span class="md-nav__icon md-icon"></span> API docs: Module derivepassphrase </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../derivepassphrase.cli/" class="md-nav__link"> <span class="md-ellipsis"> Submodule cli </span> </a> </li> <li class="md-nav__item"> <a href="../derivepassphrase.exporter/" class="md-nav__link"> <span class="md-ellipsis"> Subpackage exporter </span> </a> </li> <li class="md-nav__item"> <a href="../derivepassphrase.sequin/" class="md-nav__link"> <span class="md-ellipsis"> Submodule sequin </span> </a> </li> <li class="md-nav__item"> <a href="../derivepassphrase.ssh_agent/" class="md-nav__link"> <span class="md-ellipsis"> Submodule ssh_agent </span> </a> </li> <li class="md-nav__item"> <a href="../derivepassphrase._types/" class="md-nav__link"> <span class="md-ellipsis"> Submodule _types </span> </a> </li> <li class="md-nav__item"> <a href="../derivepassphrase.vault/" class="md-nav__link"> <span class="md-ellipsis"> Submodule vault </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_4" checked> <label class="md-nav__link" for="__nav_4_4" id="__nav_4_4_label" tabindex=""> <span class="md-ellipsis"> Technical prerequisites </span> <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_4_label" aria-expanded="true"> <label class="md-nav__title" for="__nav_4_4"> <span class="md-nav__icon md-icon"></span> Technical prerequisites </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item md-nav__item--active"> <input class="md-nav__toggle md-toggle" type="checkbox" id="__toc"> <label class="md-nav__link md-nav__link--active" for="__toc"> <span class="md-ellipsis"> Using derivepassphrase vault with an SSH key </span> <span class="md-nav__icon md-icon"></span> </label> <a href="./" class="md-nav__link md-nav__link--active"> <span class="md-ellipsis"> Using derivepassphrase vault with an SSH key </span> </a> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class="md-nav__title" for="__toc"> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix> <li class="md-nav__item"> <a href="#ssh-agent" class="md-nav__link"> <span class="md-ellipsis"> A running SSH agent </span> </a> </li> <li class="md-nav__item"> <a href="#python-support" class="md-nav__link"> <span class="md-ellipsis"> A Python installation that can talk to the SSH agent </span> </a> </li> <li class="md-nav__item"> <a href="#ssh-key" class="md-nav__link"> <span class="md-ellipsis"> A supported SSH key </span> </a> </li> </ul> </nav> </li> </ul> </nav> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="../../changelog/" class="md-nav__link"> <span class="md-ellipsis"> Changelog </span> </a> </li> </ul> </nav> </div> </div> </div> <div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" > <div class="md-sidebar__scrollwrap"> <div class="md-sidebar__inner"> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class="md-nav__title" for="__toc"> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix> <li class="md-nav__item"> <a href="#ssh-agent" class="md-nav__link"> <span class="md-ellipsis"> A running SSH agent </span> </a> </li> <li class="md-nav__item"> <a href="#python-support" class="md-nav__link"> <span class="md-ellipsis"> A Python installation that can talk to the SSH agent </span> </a> </li> <li class="md-nav__item"> <a href="#ssh-key" class="md-nav__link"> <span class="md-ellipsis"> A supported SSH key </span> </a> </li> </ul> </nav> </div> </div> </div> <div class="md-content" data-md-component="content"> <article class="md-content__inner md-typeset"> <a href="https://github.com/the-13th-letter/derivepassphrase/raw/master/docs/reference/prerequisites-ssh-key.md" title="View source of this page" class="md-content__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M17 18c.56 0 1 .44 1 1s-.44 1-1 1-1-.44-1-1 .44-1 1-1m0-3c-2.73 0-5.06 1.66-6 4 .94 2.34 3.27 4 6 4s5.06-1.66 6-4c-.94-2.34-3.27-4-6-4m0 6.5a2.5 2.5 0 0 1-2.5-2.5 2.5 2.5 0 0 1 2.5-2.5 2.5 2.5 0 0 1 2.5 2.5 2.5 2.5 0 0 1-2.5 2.5M9.27 20H6V4h7v5h5v4.07c.7.08 1.36.25 2 .49V8l-6-6H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h4.5a8.2 8.2 0 0 1-1.23-2"/></svg> </a> <h1 id="prerequisites-for-using-derivepassphrase-vault-with-an-ssh-key">Prerequisites for using <code>derivepassphrase vault</code> with an SSH key<a class="headerlink" href="#prerequisites-for-using-derivepassphrase-vault-with-an-ssh-key" title="Permanent link">¶</a></h1> <p>Using <code>derivepassphrase vault</code> with an SSH key requires:</p> <ol> <li><a href="#ssh-agent">a running SSH agent</a>,</li> <li><a href="#python-support">a Python installation that can talk to the SSH agent</a>, and</li> <li><a href="#ssh-key">a supported SSH key.</a></li> </ol> <h3 id="ssh-agent">A running SSH agent<a class="headerlink" href="#ssh-agent" title="Permanent link">¶</a></h3> <p>SSH agents are usually packaged as part of SSH client distributions. <code>ssh-agent</code> from <a href="https://www.openssh.com/">OpenSSH</a> and Pageant from <a href="https://www.chiark.greenend.org.uk/~sgtatham/putty/">PuTTY</a> are known to work. <code>gpg-agent</code> (v2) from <a href="https://gnupg.org/">GnuPG</a> is also known to work, but comes with caveats; see notes below.</p> <p>If in doubt, we recommend OpenSSH because it is the <i>de-facto</i> canonical SSH agent implementation.</p> <div class="admonition note"> <p class="admonition-title">Agent-specific features</p> <ul> <li>OpenSSH’s <code>ssh-agent</code> supports limiting the time the agent holds the key in memory (“key lifetime”). We recommend its usage.</li> <li><code>ssh-agent</code> and GnuPG’s <code>gpg-agent</code> support requiring confirmation upon each use for a specific key. We recommend its usage as well.</li> </ul> </div> <section id="agent-specific-notes"> <div class="admonition note"> <p class="admonition-title">Other agent-specific notes</p> <div class="tabbed-set tabbed-alternate" data-tabs="1:1"><input checked="checked" id="__tabbed_1_1" name="__tabbed_1" type="radio" /><div class="tabbed-labels"><label for="__tabbed_1_1">GnuPG/<code>gpg-agent</code></label></div> <div class="tabbed-content"> <div class="tabbed-block"> <ul> <li> <p><code>gpg-agent</code> v2.0 and later uses a <em>persistent</em> database of known keys, SSH or otherwise. “Adding” a key to the agent actually means <em>importing</em> it, and requires choosing an “import passphrase” to protect the key on disk, in the persistent database. <code>gpg-agent</code> will cache the import passphrase in memory, and if that cache entry expires, then the <em>import passphrase</em> must be provided to unlock the key.</p> </li> <li> <p>The GnuPG distribution does not contain tools to generate native SSH keys or interactively add keys to a running <code>gpg-agent</code>, because its purpose is to expose keys in a different format (OpenPGP) to other (agent-compatible) SSH clients. A third-party tool (such as a full SSH client distribution) is necessary to load/import native SSH keys into <code>gpg-agent</code>.</p> </li> <li> <p>As a design consequence of the persistent database, <code>gpg-agent</code> always lists all known SSH keys as available in the agent. It is impossible to remove an SSH key from <code>gpg-agent</code> using standard SSH agent operations.</p> </li> <li> <p><code>gpg-agent</code> does not advertise its communication socket by default, contrary to other SSH agents, so it must be manually advertised:</p> <div class="highlight"><pre><span></span><code><span class="gp">$ </span><span class="nv">SSH_AUTH_SOCK</span><span class="o">=</span><span class="s2">"</span><span class="k">$(</span>gpgconf<span class="w"> </span>--list-dirs<span class="w"> </span>agent-ssh-socket<span class="k">)</span><span class="s2">"</span> <span class="gp">$ </span><span class="nb">export</span><span class="w"> </span>SSH_AUTH_SOCK </code></pre></div> </li> </ul> </div> </div> </div> </div> </section> <h3 id="python-support">A Python installation that can talk to the SSH agent<a class="headerlink" href="#python-support" title="Permanent link">¶</a></h3> <div class="admonition bug"> <p class="admonition-title">Windows is currently <em>not</em> supported</p> <p><i>→ Further details:</i> <a href="https://github.com/the-13th-letter/derivepassphrase/issues/13">Issue <code>the-13th-letter/derivepassphrase#13</code>: Support PuTTY/Pageant on Windows</a></p> <p>The two major SSH agents on Windows (PuTTY/Pageant and OpenSSH) use <i>Windows named pipes</i> for communication, and Python on Windows does not inherently support named pipes. Since no comprehensive third-party Python modules to interface with named pipes appear to exist, teaching <code>derivepassphrase</code> to use Windows named pipes will require us developers to write a custom low-level C module specific to this application—an unrealistic task if we lack both technical know-how for the named pipe API as well as Windows hardware to test any potential implementation on.</p> </div> <p>On non-Windows operating systems, the SSH agent is expected to advertise its communication socket via the <code>SSH_AUTH_SOCK</code> environment variable, which is common procedure. Therefore, <a class="autorefs autorefs-external" href="https://docs.python.org/3/library/socket.html#socket.AF_UNIX">your Python installation must support UNIX domain sockets</a>.</p> <h3 id="ssh-key">A supported SSH key<a class="headerlink" href="#ssh-key" title="Permanent link">¶</a></h3> <p>For an SSH key to be usable by <code>derivepassphrase</code>, the SSH agent must always generate the same signature for the same input, i.e. the signature must be deterministic for this key type. Commonly used SSH key types include <a href="https://en.wikipedia.org/wiki/RSA_(cryptosystem)">RSA</a>, <a href="https://en.wikipedia.org/wiki/Digital_Signature_Algorithm">DSA</a>, <a href="https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm">ECDSA</a>, <a href="https://en.wikipedia.org/wiki/EdDSA#Ed25519">Ed25519</a> and <a href="https://en.wikipedia.org/wiki/EdDSA#Ed448">Ed448</a>.</p> <ul> <li> <p>RSA, Ed25519 and Ed448 signatures are deterministic by definition. Thus RSA, Ed25519 and Ed448 keys are supported under any SSH agent that implements them.</p> </li> <li> <p>DSA and ECDSA signatures require choosing a value specific to each signature (a “cryptographic nonce”), which must be unpredictable. Typical DSA/ECDSA implementations therefore generate a suitably large random number as the nonce. This makes signatures non-deterministic, and thus unsuitable for <code>derivepassphrase</code>.</p> <details class="info"> <summary>Exception: PuTTY/Pageant and RFC 6979</summary> <p><a href="https://www.rfc-editor.org/rfc/rfc6979">RFC 6979</a> specifies a method to <em>calculate</em> the nonce from the DSA/ECDSA key and the message to be signed. DSA/ECDSA signatures from SSH agents implementing RFC 6979 are therefore deterministic, and thus <em>also</em> suitable for <code>derivepassphrase</code>. Pageant 0.81 implements RFC 6979.</p> <div class="admonition warning"> <p class="admonition-title">Warning: Pageant < 0.81</p> <p>Pageant 0.80 and earlier uses a different, homegrown method to calculate the nonce deterministically. Those versions are <em>also</em> prinicipally suitable for use with <code>derivepassphrase</code>, but <strong>they generate different signatures – and different derived passphrases – than Pageant 0.81 and later</strong>.</p> </div> </details> </li> </ul> <details class="info"> <summary>What SSH key type do I have?</summary> <p>If, according to your SSH agent, your key’s type…</p> <ul> <li>…ends with <code>-cert-v01@openssh.com</code>, then, for the purposes of this list, ignore the <code>-cert-v01@openssh.com</code> suffix.</li> <li>…is <code>dsa</code> or <code>ssh-dss</code>, or is <code>dsa</code> followed by a number, then your key type is <strong>DSA</strong>.</li> <li>…is <code>rsa</code> or <code>ssh-rsa</code>, or is <code>rsa</code> followed by a number, then your key type is <strong>RSA</strong>.</li> <li>…is <code>ecdsa</code> followed by a number, or is <code>ecdsa-sha2-nistp</code> followed by a number, then your key type is <strong>ECDSA</strong>.</li> <li>…is <code>ssh-ed25519</code>, then your key type is <strong>Ed25519</strong>.</li> <li>…is <code>ssh-ed448</code>, then your key type is <strong>Ed448</strong>.</li> </ul> </details> <p>If you do not yet have a (supported) SSH key, we recommend Ed25519 for maximum speed and reasonable availability, otherwise RSA for maximum availability. We do not in general recommend Ed448 because it is not widely implemented.</p> <details class="example"> <summary>Generating new SSH keys for <code>derivepassphrase</code></summary> <div class="tabbed-set tabbed-alternate" data-tabs="2:3"><input checked="checked" id="__tabbed_2_1" name="__tabbed_2" type="radio" /><input id="__tabbed_2_2" name="__tabbed_2" type="radio" /><input id="__tabbed_2_3" name="__tabbed_2" type="radio" /><div class="tabbed-labels"><label for="__tabbed_2_1">OpenSSH</label><label for="__tabbed_2_2">PuTTY</label><label for="__tabbed_2_3">GnuPG</label></div> <div class="tabbed-content"> <div class="tabbed-block"> <p>The resulting key will be stored in <code>~/.ssh/my-vault-ed25519-key</code>, using “vault key” as a comment. Replace <code>-t ed25519</code> with <code>-t rsa</code> if generating an RSA key, and adapt the filename accordingly.</p> <div class="highlight"><pre><span></span><code><span class="gp">$ </span>ssh-keygen<span class="w"> </span>-t<span class="w"> </span>ed25519<span class="w"> </span>-f<span class="w"> </span>~/.ssh/my-vault-ed25519-key<span class="w"> </span>-C<span class="w"> </span><span class="s2">"vault key"</span> <span class="go">Generating public/private ed25519 key pair.</span> <span class="go">Enter passphrase for ".../.ssh/my-vault-ed25519-key" (empty for no passphrase): </span> <span class="go">Enter same passphrase again:</span> <span class="go">Your identification has been saved in .../.ssh/my-vault-ed25519-key</span> <span class="go">Your public key has been saved in .../.ssh/my-vault-ed25519-key.pub</span> <span class="go">The key fingerprint is:</span> <span class="go">SHA256:0h+WAokssfhzfzVyuMLJlIcWyCtk5WiXI8BHyhXYxC0 vault key</span> <span class="go">The key's randomart image is:</span> <span class="go">+--[ED25519 256]--+</span> <span class="go">|o B=+ |</span> <span class="go">|.=oE = . |</span> <span class="go">|.oX @ + |</span> <span class="go">| = + o * . . |</span> <span class="go">| + o * S B |</span> <span class="go">| + * + O o |</span> <span class="go">| * o . |</span> <span class="go">| o |</span> <span class="go">| |</span> <span class="go">+----[SHA256]-----+</span> </code></pre></div> <p>(The key fingerprint and the randomart image will naturally differ, as they are key-specific.)</p> </div> <div class="tabbed-block"> <p>The resulting key will be stored in <code>~/.ssh/my-vault-ed25519-key.ppk</code>, using “vault key” as a comment. Replace <code>-t ed25519</code> with <code>-t rsa</code> if generating an RSA key, and adapt the filename accordingly.</p> <div class="highlight"><pre><span></span><code><span class="gp">$ </span>puttygen<span class="w"> </span>-t<span class="w"> </span>ed25519<span class="w"> </span>-o<span class="w"> </span>~/.ssh/my-vault-ed25519-key.ppk<span class="w"> </span>-C<span class="w"> </span><span class="s2">"vault key"</span> <span class="go">Enter passphrase to save key: </span> <span class="go">Re-enter passphrase to verify: </span> </code></pre></div> </div> <div class="tabbed-block"> <p>Not supported natively. An alternative SSH client distribution such as OpenSSH or PuTTY is necessary.</p> <p>Alternatively, GnuPG supports reusing keys in its native OpenPGP format for SSH as long as the underlying key type is compatible.</p> </div> </div> </div> </details> <hr /> <div class="admonition abstract"> <p class="admonition-title">Further reading</p> <p>→ <a href="../../how-tos/ssh-key/">How to set up <code>derivepassphrase vault</code> with an SSH key</a></p> </div> </article> </div> </div> </main> <footer class="md-footer"> <nav class="md-footer__inner md-grid" aria-label="Footer" > <a href="../derivepassphrase.vault/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Submodule vault"> <div class="md-footer__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg> </div> <div class="md-footer__title"> <span class="md-footer__direction"> Previous </span> <div class="md-ellipsis"> Submodule vault </div> </div> </a> <a href="../../changelog/" class="md-footer__link md-footer__link--next" aria-label="Next: Changelog"> <div class="md-footer__title"> <span class="md-footer__direction"> Next </span> <div class="md-ellipsis"> Changelog </div> </div> <div class="md-footer__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11z"/></svg> </div> </a> </nav> <div class="md-footer-meta md-typeset"> <div class="md-footer-meta__inner md-grid"> <div class="md-copyright"> <div class="md-copyright__highlight"> Copyright © 2024 Marco Ricci (the-13th-letter) </div> Made with <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener"> Material for MkDocs </a> and <a href="https://mkdocstrings.github.io/python/" target="_blank" rel="noopener"> mkdocstrings-python </a> </div> </div> </div> </footer> </div> <div class="md-dialog" data-md-component="dialog"> <div class="md-dialog__inner md-typeset"></div> </div> </body> </html>