Manual Reference Pages - OPENPGP2PEM (1)
- translate OpenPGP keys to SSH keys
openpgp2ssh < mykey.gpg
gpg --export $KEYID | openpgp2ssh $KEYID
gpg --export $KEYID | openpgp2pem $KEYID
gpg --export $KEYID | openpgp2spki $KEYID
gpg --export-secret-key $KEYID | openpgp2ssh $KEYID
takes an OpenPGP-formatted primary key and associated
subkeys on standard input, and spits out the requested equivalent
SSH-style (or PEM-encoded) key on standard output.
If the data on standard input contains no subkeys, you can invoke
without arguments. If the data on standard input contains multiple
keys (e.g. a primary key and associated subkeys), you must specify a
specific OpenPGP key identifier as the first argument to indicate
which key to export. The key ID is normally the 40 hex digit OpenPGP
fingerprint of the key or subkey desired, but
will accept as few as the last 8 digits of the fingerprint as a key
If the input contains an OpenPGP RSA public key, it will be converted
to the OpenSSH-style single-line keystring, prefixed with the key type
(ssh-rsa). This format is suitable (with minor alterations) for
insertion into known_hosts files and authorized_keys files. If
invoked as openpgp2pem, a PEM-encoded public key will be emitted
If invoked as openpgp2spki, a PEM-encoded subjectPublicKeyInfo (as
defined in the X.509 standard) will be emitted instead.
If the input contains an OpenPGP RSA secret key, it will be converted
to the equivalent PEM-encoded private key.
is part of the
framework for providing a PKI for SSH.
The keys produced by this process are stripped of all identifying
information, including certifications, self-signatures, etc. This is
intentional, since ssh attaches no inherent significance to these
will produce output for any requested RSA key. This means, among
other things, that it will happily export revoked keys, unverifiable
keys, expired keys, etc. Make sure you do your own key validation
before using this tool!
gpg --export-secret-key $KEYID | openpgp2ssh $KEYID | ssh-add -c /dev/stdin
This pushes the secret key into the active
Tools such as
which know how to talk to the
can now rely on the key.
and this man page were written by Daniel Kahn Gillmor
only works with RSA keys. DSA keys are the only other key type
available in both OpenPGP and SSH, but they are currently unsupported
by this utility.
only accepts raw OpenPGP packets on standard input. It does not
accept ASCII-armored input.
Currently only exports into formats used by the OpenSSH.
It should support other key output formats, such as those used by
Secret key output is currently not passphrase-protected.
currently cannot handle passphrase-protected secret keys on input.
Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.