Programster's Blog

Tutorials focusing on Linux, programming, and open-source

Key File Formats

The samples below are all examples of using asymmetric public-key encryption using the RSA algorithm. Unfortunately, it appears there are various file formats for such keys which I aim to cover here.

GPG
- Private GPG Key
- Public GPG Key
PEM
OpenSSH
- Private OpenSSH Key
- Public OpenSSH Key
Conversions
References

GPG

This format is what is used for email based security, encrypting/decrypting files on your computer, and digitally signing software.

Private GPG Key

Generated from gpg --export-secret-key -a "username@email.com" > [filename].asc

Public GPG Key

Generated from gpg --export-key -a "username@email.com" > [filename].asc

I will try to use the .pgp extension with these. If you double click a .pgp file in Ubuntu, it will automatically get imported into your key-ring. If one uses the .pem extension, it will get displayed in a certificate viewer correctly, but this is technically the incorrect extension.

PEM

Privacy Enhanced Mail (PEM) keys are commonly used for website certificates and SSH keys. The ssh-keygen tool can also generate these PEM key files if one uses the correct flags/options. This format is for website certificates and can be used/converted for SSH.

Because OpenSSH is a proprietary format, many tools services, such as Oracle and Bitbucket pipelines, require SSH keys to be in this format rather than the OpenSSH format.

Private PEM Key

Run this command to generate a private PEM key file (using the RSA algorithm).

NUM_BITS=2048

openssl genpkey \
  -algorithm RSA \
  -out my-private-key.pem \
  -pkeyopt rsa_keygen_bits:$NUM_BITS

Which produces this format...

Public PEM Key

One can then use the private key with the following command to generate the public-key counterpart.

openssl rsa \
  -in my-private-key.pem \
  -pubout > my-public-key.pub

...with the following format:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9xq0FDH9pGGlyBsvBj0L
...
yjrq0ERRrsocgFwGth/LW1S7Lwl3eNa6c4NDKZ2y0Ih5qqNwZFYWhS9YoekqVs/k
iQIDAQAB
-----END PUBLIC KEY-----

Certificate Files

The PEM format also supports "certificate" files, which are commonly used for websites.

Certificate Request Files (CSR)

Not only are there public/private keys, and certificate files, there is the certificate request files, which allow one to request a public certificate file from a third party, without exposing one's private key to them in the process.

One can easily generate a CSR file from an existing private key with:

openssl req -new -key key.pem -out req.pem

Alternatively, if you want to generate a private key and CSR in one go:

MY_SITE="www.mydomain.com"
NUM_BITS=2048

openssl req -new -newkey \
  rsa:$NUM_BITS \
  -keyout $MY_SITE.key \
  -out $MY_SITE.csr

These request files have the following format:

OpenSSH Keys

The OpenSSH format is a proprietary format that is defaulted to by tools like ssh-keygen which is also my preferred tool for generating such files.

Private OpenSSH Key

By default, ssh-keygen will create the public keyfile at ~/.ssh/id_rsa (no extension)

Public OpenSSH Key

By default, ssh-keygen will create the public keyfile at ~/.ssh/id_rsa.pub

ssh-rsa AAAAaLotMoreRandomCharactersD4gBfkME5VsfR+D+R stuart@stu-home-office

Conversions

Please refer to my SSH cheatsheet for how to convert between PEM and OpenSSH formats.

References

Last updated: 23rd August 2022
First published: 16th August 2018

This blog is created by Stuart Page

I'm a freelance web developer and technology consultant based in Surrey, UK, with over 10 years experience in web development, DevOps, Linux Administration, and IT solutions.

Need support with your infrastructure or web services?

Get in touch