Convert keys between GnuPG, OpenSsh and OpenSSL

OpenSSH to OpenSSL

OpenSSH private keys are directly understable by OpenSSL. You can test for example:

openssl rsa -in ~/.ssh/id_rsa -text
openssl dsa -in ~/.ssh/id_dsa -text

You can also convert then to PEM format easily (notice, format for SSH private keys and PEM is very close):

openssl rsa -in ~/.ssh/id_rsa -out key_rsa.pem
openssl dsa -in ~/.ssh/id_dsa -out key_dsa.pem

So, you can directly use it to create a certification request:

openssl req -new -key ~/.ssh/id_dsa -out myid.csr

You can also use your ssh key to create a sef-signed certificate:

openssl x509 -req -days 3650 -in myid.csr -signkey ~/.ssh/id_rsa -out myid.crt

Notice I have not found how to manipulate ssh public key with OpenSSL

OpenSSL to OpenSSH

Private keys format is same between OpenSSL and OpenSSH. So you just a have to rename your OpenSSL key:

 cp myid.key id_rsa

In OpenSSL, there is no specific file for public key (public keys are generally embeded in certificates). However, you extract public key from private key file:

ssh-keygen -y -f  myid.key > id_rsa.pub

GnuPG to OpenSSH

First, you need to know fingerprint of your RSA key. You can use:

  gpg --list-secret-keys --keyid-format short

Next, you can use openpgp2ssh tool distributed in with monkeyshpere project:

 gpg --export-secret-keys 01234567 | openpgp2ssh 01234567 > id_rsa

A few notes are necessary:

01234567 must be fingerprint of a RSA key (or subkey)
gpg --export-secret-keys also accept finger print of global key (in this case, it exports all sub-keys). However, openpgp2ssh only accept finger print of an RSA key
If no arguments are provided, openpgp2ssh export RSA keys it find

You can now extract ssh public key using:

ssh-keygen -y -f id_rsa > id_rsa.pub

GnuPG to OpenSSL

We already saw all steps. Extract key as for ssh:

  gpg --list-secret-keys --keyid-format short
  gpg --export-secret-keys 01234567 | openpgp2ssh 01234567 > myid.ke

You can can convert this key to PEM format:

 openssl rsa -in myid.key -out myid.pem

You can create a certification request:

openssl req -new -key myid.key -out myid.csr

You can create a sef-signed certificate:

openssl x509 -req -days 3650 -in myid.csr -signkey myid.key -out myid.crt

GnuPG S/MIME to OpenSSL

Gpgsm utility can exports keys and certificate in PCSC12:

gpgsm -o  secret-gpg-key.p12 --export-secret-key-p12 0xXXXXXXXX

You have to extract Key and Certificates separatly:

openssl pkcs12 -in secret-gpg-key.p12 -nocerts -out gpg-key.pem
openssl pkcs12 -in secret-gpg-key.p12 -nokeys -out gpg-certs.pem

You can now use it in OpenSSL.

You can also do similar thing with GnuPG public keys. There will be only certificates output.

OpenSSL to GnuPG S/MIME

Invert process:

openssl pkcs12 -export -in gpg-certs.pem -inkey gpg-key.pem -out gpg-key.p12
gpgsm --import gpg-key.p12

GnuPG S/MIME to OpenSSH

Now, chain processes:

 gpgsm -o  secret-gpg-key.p12 --export-secret-key-p12 0xXXXXXXXX
 openssl pkcs12 -in secret-gpg-key.p12 -nocerts -out gpg-key.pem

We need to protect key, else ssh refuse it.

 chmod 600 gpg-key.pem
 cp gpg-key.pem ~/.ssh/id_rsa
 ssh-keygen -y -f gpg-key.pem > ~/.ssh/id_rsa.pub

OpenSSH to GnuPG S/MIME

First we need to create a certificate (self-signed) for our ssh key:

openssl req -new -x509 -key ~/.ssh/id_rsa -out ssh-cert.pem

We can now import it in GnuPG

openssl pkcs12 -export -in ssh-certs.pem -inkey ~/.ssh/id_rsa -out ssh-key.p12
gpgsm --import ssh-key.p12

Notice you cannot import/export DSA ssh keys to/from GnuPG

$ gpg --list-secret-keys \ --with-keygrip $ gpgsm --gen-key -o temporary.cert > Existing Key > use keygrip from gpg output > fill the X509 values > create a self signed certificate $ gpgsm --import temporary.cert $ gpgsm --list-keys > find the key just imported $ gpgsm -o cert.p12 --export-secret-key-p12 ${KEY_ID} $ openssl pkcs12 -in cert.p12 -nocerts -out gpg-secret-key.pem $ openssl rsa -in gpg-secret-key.pem -pubout > gpg-public-key.pem

Commentaires

1. Le lundi, mars 5 2012, 04:46 par Alan Aversa

Is a private key needed to convert a public OpenSSH key to a public GnuPG key? Thanks

2. Le vendredi, avril 13 2012, 10:14 par Jérôme Pouiller

OpenSSL is the main tool to translate OpenSSH key to GnuPG and I hadn't found any way to manipulate public OpenSSH keys using OpenSSL.

3. Le jeudi, août 2 2012, 09:35 par dumbguy

gpgsm does not seem to be capable of exporting generated keys....

$ gpg2 ~~gen-key~~ export
.....
1024R/FFD0B47E 2012-08-02 ....

but then when you type
$ gpgsm -o secret-gpg-key.p12 --export-secret-key-p12 0xFFD0B47E
gpgsm: can't export key `0xFFD0B47E': No secret key

The secret key is there, and is exportable with gpg.

Anything I am missing here?

Merci beaucoup in advance....

4. Le jeudi, août 30 2012, 12:31 par kang

here's another one:

convert gpg-agent keys to ssh-keys

/usr/lib/gnupg/gpg-protect-tool --p12-export -P <passphrase> ~/.gnupg/private-keys-v1.d/foo >foo.p12

foo is the hash of the key (you can cat it to find out which key path it was imported from). prepend the above line by space to avoid login the passphrase in history.

then (as per this guide, in fact)

openssl pkcs12 -in foo.p12 -nocerts -out foo.pem
chmod 0600 foo.pem 
mv foo.pem ~/.ssh/id_rsa
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub

note that with DSA or ECDSA keys, your mileage may vary.

5. Le mercredi, janvier 23 2013, 21:44 par poombah

The Monkeysphere project provides a tool called "openpgp2ssh".

http://web.monkeysphere.info/

6. Le mardi, août 20 2013, 00:14 par Alan Aversa

This works well for going from GnuPG to OpenSSH:

gpg --export <keyID> | openpgp2ssh <keyID>

7. Le mardi, février 13 2018, 15:54 par gpgsm user

assume you have a gpg key already:

Not sure how smart it is to do that, but it took me more than a day to figure that out.

8. Le lundi, août 20 2018, 17:04 par webcam live female

Today, I went to the beach with my children. I found a sea
shell and gave it to my 4 year old daughter and said "You can hear the ocean if you put this to your ear." She put the shell
to her ear and screamed. There was a hermit crab inside and it pinched
her ear. She never wants to go back! LoL I know this is completely off
topic but I had to tell someone!

9. Le dimanche, janvier 6 2019, 16:06 par check these guys out

Hi there! I know this is kinda off topic but I'd figured I'd ask.
Would you be interested in exchanging links or maybe guest authoring a blog
post or vice-versa? My blog goes over a lot of the same subjects as yours
and I believe we could greatly benefit from
each other. If you might be interested feel free to send me an e-mail.
I look forward to hearing from you! Excellent blog by the way!

10. Le samedi, août 8 2020, 13:04 par link

Disk defragmenter rearranges files being stored in your hard disk so they really will be more easily and efficiently accessible.
Data loss might happen to anyone who utilizes a
computer or any data storage drive. Digital Signature
- This is probably the most common ways to ensure the authenticity of digital documents.

11. Le samedi, août 8 2020, 15:20 par link

WOW just what I was looking for. Came here by searching for
technology|
Excellent pieces. Keep posting such kind of information on your site.

Im really impressed by your blog.
Here are a few myths of remote repository administration and you will
need to take proper attention of these points throughout your remote dba companies.
This article explains concerning prons and cons associated with remote dba services
and even remote dba work. Whenever you are
hiring any kind of company you should keep throughout mind about the exact
same for getting greater outcomes.

12. Le jeudi, août 27 2020, 15:06 par database administrator

This technique will decrease the requirement of extra hardware settings and costs.
The prime benefit from eliminating manual laborious tasks is perfectly achieved
via a development platform. The size of your small business is not going to matter as a way long as each component of the
business is comfortable with the others' activities.

Website_title How Photography And Technology Has Evolved Over Time

Sysmic.org