Keepassxc: Support ECDSA ssh keys

Created on 3 Nov 2018  路  7Comments  路  Source: keepassxreboot/keepassxc

Expected Behavior

It should be possible to add ECDSA keys to KeePassXC and it should be able to add it to the agent

Current Behavior

I tried adding an ECDSA key to keepassxc, but when I select it in the SSH agent it says Unsupported key type: EC PRIVATE KEY

Context

I'd like to be able to use ECDSA keys, not just RSA

Debug Info

KeePassXC - Version 2.3.4
Revision: 6fe821c

Libraries:

  • Qt 5.11.1
  • libgcrypt 1.8.3

Operating system: Windows 10 (10.0)
CPU architecture: x86_64
Kernel: winnt 10.0.17134

Enabled extensions:

  • Auto-Type
  • Browser Integration
  • Legacy Browser Integration (KeePassHTTP)
  • SSH Agent
  • YubiKey
SSH agent
Source
picture ForsakenHarmony

Most helpful comment

@mrpew Make a copy of your key first but something along these lines:

$ cat ecdsa.key
-----BEGIN EC PRIVATE KEY-----
...
-----END EC PRIVATE KEY-----
$ ssh-keygen -c -o -f ecdsa.key
Key now has no comment
Enter new comment: 
The comment in your key file has been changed.
$ cat old-ecdsa.key
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----

The meat of the conversions is the -o switch for ssh-keygen which works in conjunction with some key modification functions. It's not very discoverable at all and took me a few minutes to remember the combination. Hope this helps.

picture hifi on 18 Oct 2019
👍2

All 7 comments

You may try ed25519 keys instead.

phoerious picture phoerious on 3 Nov 2018
👍1

Yup, that works

ForsakenHarmony picture ForsakenHarmony on 3 Nov 2018

If I remember correctly ECDSA keys work if they are converted to the "new" private key format with ssh-keygen.

hifi picture hifi on 21 Nov 2018

@hifi could you please elaborate on how to convert existing EC PKs to the "new" private key format ?

mrpew picture mrpew on 18 Oct 2019

@mrpew Make a copy of your key first but something along these lines:

$ cat ecdsa.key
-----BEGIN EC PRIVATE KEY-----
...
-----END EC PRIVATE KEY-----
$ ssh-keygen -c -o -f ecdsa.key
Key now has no comment
Enter new comment: 
The comment in your key file has been changed.
$ cat old-ecdsa.key
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----

The meat of the conversions is the -o switch for ssh-keygen which works in conjunction with some key modification functions. It's not very discoverable at all and took me a few minutes to remember the combination. Hope this helps.

hifi picture hifi on 18 Oct 2019
👍2

@hifi Thanks so much, ssh-keygen -c -o -f keyfile works and the resulting file is accepted by KeePassXC :+1:

mrpew picture mrpew on 18 Oct 2019

Closing this as we are not going to add legacy ECDSA key file parsing as it is marginally used and converting to the new format works for the remaining users.

hifi picture hifi on 6 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Throne3d picture Throne3d  路  3Comments
amvasilyev picture amvasilyev  路  3Comments
813gan picture 813gan  路  3Comments
guihkx picture guihkx  路  3Comments
shyim picture shyim  路  3Comments