upstream: Factor out PuTTY setup.

[thirdparty/openssh-portable.git] / PROTOCOL.key

This document describes the private key format for OpenSSH.

1. Overall format

The key consists of a header, a list of public keys, and
an encrypted list of matching private keys.

#define AUTH_MAGIC      "openssh-key-v1"

        byte[]  AUTH_MAGIC
        string  ciphername
        string  kdfname
        string  kdfoptions
        uint32  number of keys N
        string  publickey1
        string  publickey2
        ...
        string  publickeyN
        string  encrypted, padded list of private keys

2. KDF options for kdfname "bcrypt"

The options:

        string salt
        uint32 rounds

are concatenated and represented as a string.

3. Unencrypted list of N private keys

The list of privatekey/comment pairs is padded with the
bytes 1, 2, 3, ... until the total length is a multiple
of the cipher block size.

        uint32  checkint
        uint32  checkint
        byte[]  privatekey1
        string  comment1
        byte[]  privatekey2
        string  comment2
        ...
        string  privatekeyN
        string  commentN
        byte    1
        byte    2
        byte    3
        ...
        byte    padlen % 255

where each private key is encoded using the same rules as used for
SSH agent.

Before the key is encrypted, a random integer is assigned
to both checkint fields so successful decryption can be
quickly checked by verifying that both checkint fields
hold the same value.

4. Encryption

The KDF is used to derive a key, IV (and other values required by
the cipher) from the passphrase. These values are then used to
encrypt the unencrypted list of private keys.

5. No encryption

For unencrypted keys the cipher "none" and the KDF "none"
are used with empty passphrases. The options if the KDF "none"
are the empty string.

$OpenBSD: PROTOCOL.key,v 1.3 2022/07/01 04:45:50 djm Exp $