Key File Formats
The samples below are all examples of using asymmetric public-key encryption using the RSA algorithm. Unfortunately, it appears there are various file formats for such keys which I aim to cover here.
Related Posts
Table of Contents
GPG
This format is what is used for email based security, encrypting/decrypting files on your computer, and digitally signing software.
Private GPG Key
Generated from gpg --export-secret-key -a "username@email.com" > [filename].asc
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v1
lQdGBFkW4esBEAC5GeGmDASNHTQydE9qjzjnfkuPNpAS+9SqT4WbhqE+5zQdRhzL
...
A1TE7Cub/cVlTby3gIiz3Q42mQI6vOrcCC56JP6mo9wVzJb8uhad1wI36XPygh0=
=N6UH
-----END PGP PRIVATE KEY BLOCK-----
Public GPG Key
Generated from gpg --export-key -a "username@email.com" > [filename].asc
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQINBFkW4esBEAC5GeGmDASNHTQydE9qjzjnfkuPNpAS+9SqT4WbhqE+5zQdRhzL
...
kbEI7B+iIQd8qKczj0kDVMTsK5v9xWVNvLeAiLPdDjaZAjq86twILnok/qaj3BXM
lvy6Fp3XAjfpc/KCHQ==
=BKkp
-----END PGP PUBLIC KEY BLOCK-----
I will try to use the .pgp
extension with these. If you double click a .pgp
file in Ubuntu, it will automatically get imported into your key-ring.
If one uses the .pem
extension, it will get displayed in a certificate viewer correctly, but this is technically the incorrect extension.
PEM
Privacy Enhanced Mail (PEM) keys are commonly used for website certificates and SSH keys.
The ssh-keygen
tool can also generate these PEM key files if one uses the correct flags/options.
This format is for website certificates and can be used/converted for SSH.
Because OpenSSH is a proprietary format, many tools services, such as Oracle and Bitbucket pipelines, require SSH keys to be in this format rather than the OpenSSH format.
Private PEM Key
Run this command to generate a private PEM key file (using the RSA algorithm).
NUM_BITS=2048
openssl genpkey \
-algorithm RSA \
-out my-private-key.pem \
-pkeyopt rsa_keygen_bits:$NUM_BITS
Which produces this format...
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQD3GrQUMf2kYaXI
Gy8GPQutRdbXiUVu4uTBeIyqbQZLHs01E7GFTxMVmod0Haf69C5GOMpEQhLt55gq
...
PYgjX12hUGX9jF+2RVl9gpozG6CEIYe8I7RuyyauDJ/gzPrG6r/G1Se6M1zK+YB9
5Y+NiCejKC3gfbW2nJfReSU=
-----END PRIVATE KEY-----
Public PEM Key
One can then use the private key with the following command to generate the public-key counterpart.
openssl rsa \
-in my-private-key.pem \
-pubout > my-public-key.pub
...with the following format:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9xq0FDH9pGGlyBsvBj0L
...
yjrq0ERRrsocgFwGth/LW1S7Lwl3eNa6c4NDKZ2y0Ih5qqNwZFYWhS9YoekqVs/k
iQIDAQAB
-----END PUBLIC KEY-----
Certificate Files
The PEM format also supports "certificate" files, which are commonly used for websites.
-----BEGIN CERTIFICATE-----
MIIFTzCCBDegAwIBAgISA7RJYUHA0fxP9xqrMmWBlAuhMA0GCSqGSIb3DQEBCwUA
...
2m68kIsbr0IzgK198sU+9XlZnYtq8Prrgkf++vR6C06zAJI5PT7DebEyq9KadC+c
V4oA4inW7T02HMylYZTl8bXP6g==
-----END CERTIFICATE-----
Certificate Request Files (CSR)
Not only are there public/private keys, and certificate files, there is the certificate request files, which allow one to request a public certificate file from a third party, without exposing one's private key to them in the process.
One can easily generate a CSR file from an existing private key with:
openssl req -new -key key.pem -out req.pem
Alternatively, if you want to generate a private key and CSR in one go:
MY_SITE="www.mydomain.com"
NUM_BITS=2048
openssl req -new -newkey \
rsa:$NUM_BITS \
-keyout $MY_SITE.key \
-out $MY_SITE.csr
These request files have the following format:
-----BEGIN CERTIFICATE REQUEST-----
MIIFTzCCBDegAwIBAgISA7RJYUHA0fxP9xqrMmWBlAuhMA0GCSqGSIb3DQEBCwUA
...
2m68kIsbr0IzgK198sU+9XlZnYtq8Prrgkf++vR6C06zAJI5PT7DebEyq9KadC+c
V4oA4inW7T02HMylYZTl8bXP6g==
-----BEGIN CERTIFICATE REQUEST-----
OpenSSH Keys
The OpenSSH format is a proprietary format that is defaulted to by tools like ssh-keygen
which is also my preferred tool for generating such files.
Private OpenSSH Key
By default, ssh-keygen
will create the public keyfile at ~/.ssh/id_rsa
(no extension)
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAwNoFjO7+a4GXoVoAwe0PJ3TignTuOFGzlXoF/gQ0ZDFiRlGt
...
x5lUThJdHVGTN0c5Mn0YefCq4qySxTfvDy8CfjDMAYlR4wxZs73vYjOPofruH35S
O3zCil5543Hkl6Pu1rllLkNI/8f385Tl4p1ymb4/qH75T0nBwy76qg==
-----END RSA PRIVATE KEY-----
Public OpenSSH Key
By default, ssh-keygen
will create the public keyfile at ~/.ssh/id_rsa.pub
ssh-rsa AAAAaLotMoreRandomCharactersD4gBfkME5VsfR+D+R stuart@stu-home-office
Conversions
Please refer to my SSH cheatsheet for how to convert between PEM and OpenSSH formats.
References
- Digicert.com - What is PEM Format?
- Stack Overflow - what is the difference between various keys in public key encryption
- Stack Overflow - Convert pem key to ssh-rsa format
- Software Engineering - How do PGP and PEM differ?
- How2SSL.com - PEM Files
- Sysmic.org - Convert keys between GnuPG, OpenSsh and OpenSSL
First published: 16th August 2018