Programster's Blog

Tutorials focusing on Linux, programming, and open-source

Key File Formats

The samples below are all examples of using asymmetric public-key encryption using the RSA algorithm. Unfortunately, it appears there are various file formats for such keys which I aim to cover here.

Related Posts

Table of Contents

GPG

This format is what is used for email based security, encrypting/decrypting files on your computer, and digitally signing software.

Private GPG Key

Generated from gpg --export-secret-key -a "username@email.com" > [filename].asc

-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v1

lQdGBFkW4esBEAC5GeGmDASNHTQydE9qjzjnfkuPNpAS+9SqT4WbhqE+5zQdRhzL
...
A1TE7Cub/cVlTby3gIiz3Q42mQI6vOrcCC56JP6mo9wVzJb8uhad1wI36XPygh0=
=N6UH
-----END PGP PRIVATE KEY BLOCK-----

Public GPG Key

Generated from gpg --export-key -a "username@email.com" > [filename].asc

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mQINBFkW4esBEAC5GeGmDASNHTQydE9qjzjnfkuPNpAS+9SqT4WbhqE+5zQdRhzL
...
kbEI7B+iIQd8qKczj0kDVMTsK5v9xWVNvLeAiLPdDjaZAjq86twILnok/qaj3BXM
lvy6Fp3XAjfpc/KCHQ==
=BKkp
-----END PGP PUBLIC KEY BLOCK-----

I will try to use the .pgp extension with these. If you double click a .pgp file in Ubuntu, it will automatically get imported into your key-ring. If one uses the .pem extension, it will get displayed in a certificate viewer correctly, but this is technically the incorrect extension.

PEM

Privacy Enhanced Mail (PEM) keys are commonly used for website certificates and SSH keys. The ssh-keygen tool can also generate these PEM key files if one uses the correct flags/options. This format is for website certificates and can be used/converted for SSH.

Because OpenSSH is a proprietary format, many tools services, such as Oracle and Bitbucket pipelines, require SSH keys to be in this format rather than the OpenSSH format.

Private PEM Key

Run this command to generate a private PEM key file (using the RSA algorithm).

NUM_BITS=2048

openssl genpkey \
  -algorithm RSA \
  -out my-private-key.pem \
  -pkeyopt rsa_keygen_bits:$NUM_BITS

Which produces this format...

-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQD3GrQUMf2kYaXI
Gy8GPQutRdbXiUVu4uTBeIyqbQZLHs01E7GFTxMVmod0Haf69C5GOMpEQhLt55gq
...
PYgjX12hUGX9jF+2RVl9gpozG6CEIYe8I7RuyyauDJ/gzPrG6r/G1Se6M1zK+YB9
5Y+NiCejKC3gfbW2nJfReSU=
-----END PRIVATE KEY-----

Public PEM Key

One can then use the private key with the following command to generate the public-key counterpart.

openssl rsa \
  -in my-private-key.pem \
  -pubout > my-public-key.pub

...with the following format:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9xq0FDH9pGGlyBsvBj0L
...
yjrq0ERRrsocgFwGth/LW1S7Lwl3eNa6c4NDKZ2y0Ih5qqNwZFYWhS9YoekqVs/k
iQIDAQAB
-----END PUBLIC KEY-----

Certificate Files

The PEM format also supports "certificate" files, which are commonly used for websites.

-----BEGIN CERTIFICATE-----
MIIFTzCCBDegAwIBAgISA7RJYUHA0fxP9xqrMmWBlAuhMA0GCSqGSIb3DQEBCwUA
...
2m68kIsbr0IzgK198sU+9XlZnYtq8Prrgkf++vR6C06zAJI5PT7DebEyq9KadC+c
V4oA4inW7T02HMylYZTl8bXP6g==
-----END CERTIFICATE-----

Certificate Request Files (CSR)

Not only are there public/private keys, and certificate files, there is the certificate request files, which allow one to request a public certificate file from a third party, without exposing one's private key to them in the process.

One can easily generate a CSR file from an existing private key with:

openssl req -new -key key.pem -out req.pem

Alternatively, if you want to generate a private key and CSR in one go:

MY_SITE="www.mydomain.com"
NUM_BITS=2048

openssl req -new -newkey \
  rsa:$NUM_BITS \
  -keyout $MY_SITE.key \
  -out $MY_SITE.csr

These request files have the following format:

-----BEGIN CERTIFICATE REQUEST-----
MIIFTzCCBDegAwIBAgISA7RJYUHA0fxP9xqrMmWBlAuhMA0GCSqGSIb3DQEBCwUA
...
2m68kIsbr0IzgK198sU+9XlZnYtq8Prrgkf++vR6C06zAJI5PT7DebEyq9KadC+c
V4oA4inW7T02HMylYZTl8bXP6g==
-----BEGIN CERTIFICATE REQUEST-----

OpenSSH Keys

The OpenSSH format is a proprietary format that is defaulted to by tools like ssh-keygen which is also my preferred tool for generating such files.

Private OpenSSH Key

By default, ssh-keygen will create the public keyfile at ~/.ssh/id_rsa (no extension)

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAwNoFjO7+a4GXoVoAwe0PJ3TignTuOFGzlXoF/gQ0ZDFiRlGt
...
x5lUThJdHVGTN0c5Mn0YefCq4qySxTfvDy8CfjDMAYlR4wxZs73vYjOPofruH35S
O3zCil5543Hkl6Pu1rllLkNI/8f385Tl4p1ymb4/qH75T0nBwy76qg==
-----END RSA PRIVATE KEY-----

Public OpenSSH Key

By default, ssh-keygen will create the public keyfile at ~/.ssh/id_rsa.pub

ssh-rsa AAAAaLotMoreRandomCharactersD4gBfkME5VsfR+D+R stuart@stu-home-office

Conversions

Please refer to my SSH cheatsheet for how to convert between PEM and OpenSSH formats.

References

Last updated: 23rd August 2022
First published: 16th August 2018