Convert keys between GnuPG, OpenSsh and OpenSSL

OpenSSH to OpenSSL

OpenSSH private keys are directly understable by OpenSSL:

openssl rsa -in ~/.ssh/id_rsa -text
openssl dsa -in ~/.ssh/id_dsa -text

So, you can directly create certification request:

openssl req -new -key ~/.ssh/id_dsa -out mykey.csr

Notice I have not found how to manipulate ssh public key with OpenSSL

OpenSSL to OpenSSH

Private keys format is same between OpenSSL and OpenSSH, but not public key format. Nevertheless, you extract public key from private key file:

ssh-keygen -y -f id_rsa > id_rsa.pub

GnuPG to OpenSSL

Gpgsm utility can exports keys and certificate in PCSC12:

gpgsm -o  secret-gpg-key.p12 --export-secret-key-p12 0xXXXXXXXX

You have to extract Key and Certificates separatly:

openssl pkcs12 -in secret-gpg-key.p12 -nocerts -out gpg-key.pem
openssl pkcs12 -in secret-gpg-key.p12 -nokeys -out gpg-certs.pem

You can now use it in OpenSSL.

You can also do similar thing with GnuPG public keys. There will be only certificates output.

OpenSSL to GnuPG

Invert process:

openssl pkcs12 -export -in gpg-certs.pem -inkey gpg-key.pem -out gpg-key.p12
gpgsm --import gpg-key.p12

GnuPG to OpenSSH

Now, chain processes:

 gpgsm -o  secret-gpg-key.p12 --export-secret-key-p12 0xXXXXXXXX
 openssl pkcs12 -in secret-gpg-key.p12 -nocerts -out gpg-key.pem

We need to protect key, else ssh refuse it.

 chmod 600 gpg-key.pem
 cp gpg-key.pem ~/.ssh/id_rsa
 ssh-keygen -y -f gpg-key.pem > ~/.ssh/id_rsa.pub

OpenSSH to GnuPG

First we need to create a certificate (self-signed) for our ssh key:

openssl req -new -x509 -key ~/.ssh/id_rsa -out ssh-cert.pem

We can now import it in GnuPG

openssl pkcs12 -export -in ssh-certs.pem -inkey ~/.ssh/id_rsa -out ssh-key.p12
gpgsm --import ssh-key.p12

Notice you cannot import/export DSA ssh keys to/from GnuPG

Commentaires

1. Le lundi, mars 5 2012, 04:46 par Alan Aversa

Is a private key needed to convert a public OpenSSH key to a public GnuPG key? Thanks

2. Le vendredi, avril 13 2012, 10:14 par Jérôme Pouiller

OpenSSL is the main tool to translate OpenSSH key to GnuPG and I hadn't found any way to manipulate public OpenSSH keys using OpenSSL.

3. Le jeudi, août 2 2012, 09:35 par dumbguy

gpgsm does not seem to be capable of exporting generated keys....

$ gpg2 ~~gen-key~~ export
.....
1024R/FFD0B47E 2012-08-02 ....

but then when you type
$ gpgsm -o secret-gpg-key.p12 --export-secret-key-p12 0xFFD0B47E
gpgsm: can't export key `0xFFD0B47E': No secret key

The secret key is there, and is exportable with gpg.

Anything I am missing here?

Merci beaucoup in advance....

4. Le jeudi, août 30 2012, 12:31 par kang

here's another one:

convert gpg-agent keys to ssh-keys

/usr/lib/gnupg/gpg-protect-tool --p12-export -P <passphrase> ~/.gnupg/private-keys-v1.d/foo >foo.p12

foo is the hash of the key (you can cat it to find out which key path it was imported from). prepend the above line by space to avoid login the passphrase in history.

then (as per this guide, in fact)

openssl pkcs12 -in foo.p12 -nocerts -out foo.pem
chmod 0600 foo.pem 
mv foo.pem ~/.ssh/id_rsa
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub

note that with DSA or ECDSA keys, your mileage may vary.

5. Le mercredi, janvier 23 2013, 21:44 par poombah

The Monkeysphere project provides a tool called "openpgp2ssh".

http://web.monkeysphere.info/

6. Le mardi, août 20 2013, 00:14 par Alan Aversa

This works well for going from GnuPG to OpenSSH:

gpg --export <keyID> | openpgp2ssh <keyID>

Sysmic.org