Module ssh_key::private

SSH private key support.

Support for decoding SSH private keys (i.e. digital signature keys) from the OpenSSH file format:

https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.key?annotate=HEAD

Decrypting encrypted private keys

When the encryption feature of this crate is enabled, it’s possible to decrypt keys which have been encrypted under a password:

use ssh_key::PrivateKey;

// WARNING: don't actually hardcode private keys in source code!!!
let encoded_key = r#"
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBKH96ujW
umB6/WnTNPjTeaAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAILM+rvN+ot98qgEN
796jTiQfZfG1KaT0PtFDJ/XFSqtiAAAAoFzvbvyFMhAiwBOXF0mhUUacPUCMZXivG2up2c
hEnAw1b6BLRPyWbY5cC2n9ggD4ivJ1zSts6sBgjyiXQAReyrP35myYvT/OIB/NpwZM/xIJ
N7MHSUzlkX4adBrga3f7GS4uv4ChOoxC4XsE5HsxtGsq1X8jzqLlZTmOcxkcEneYQexrUc
bQP0o+gL5aKK8cQgiIlXeDbRjqhc4+h4EF6lY=
-----END OPENSSH PRIVATE KEY-----
"#;

let encrypted_key = PrivateKey::from_openssh(encoded_key)?;
assert!(encrypted_key.is_encrypted());

// WARNING: don't hardcode passwords, and this one's bad anyway
let password = "hunter42";

let decrypted_key = encrypted_key.decrypt(password)?;
assert!(!decrypted_key.is_encrypted());

Encrypting plaintext private keys

When the encryption feature of this crate is enabled, it’s possible to encrypt plaintext private keys under a provided password.

The example below also requires enabling this crate’s getrandom feature.

use ssh_key::{Algorithm, PrivateKey, rand_core::OsRng};

// Generate a random key
let unencrypted_key = PrivateKey::random(&mut OsRng, Algorithm::Ed25519)?;

// WARNING: don't hardcode passwords, and this one's bad anyway
let password = "hunter42";

let encrypted_key = unencrypted_key.encrypt(&mut OsRng, password)?;
assert!(encrypted_key.is_encrypted());

Generating random keys

This crate supports generation of random keys using algorithm-specific backends gated on cargo features.

The examples below require enabling this crate’s getrandom feature as well as the crate feature identified in backticks in the title of each example.

use ssh_key::{Algorithm, PrivateKey, rand_core::OsRng};

let private_key = PrivateKey::random(&mut OsRng, Algorithm::Ed25519)?;

Structs

• DsaKeypair
  Digital Signature Algorithm (DSA) private/public keypair.
• DsaPrivateKey
  Digital Signature Algorithm (DSA) private key.
• EcdsaPrivateKey
  Elliptic Curve Digital Signature Algorithm (ECDSA) private key.
• Ed25519Keypair
  Ed25519 private/public keypair.
• Ed25519PrivateKey
  Ed25519 private key.
• PrivateKey
  SSH private key.
• RsaKeypair
  RSA private/public keypair.
• RsaPrivateKey
  RSA private key.
• SkEcdsaSha2NistP256
  Security Key (FIDO/U2F) ECDSA/NIST P-256 private key as specified in PROTOCOL.u2f.
• SkEd25519
  Security Key (FIDO/U2F) Ed25519 private key as specified in PROTOCOL.u2f.

Enums

• EcdsaKeypair
  Elliptic Curve Digital Signature Algorithm (ECDSA) private/public keypair.
• KeypairData
  Private key data: digital signature key pairs.