LinuxOpen Source SoftwareTutorialsWindows

How to convert a Putty OPENSSH private key into a RSA private key

Using SSH (and related tools) on Windows has been a pain for decades. Only in the last few years Microsoft changed their opinion and allowed direct SSH connections in Windows PowerShell. Prior to that solution and still relevant today are the PuTTY tools.

Putty itself is a widely used program to, besides other use cases, connect to a remote SSH server. To create (and manage) SSH key authentication, another tool, PuttyGen, was created.

Puttygen: PuTTY Key Generator on Windows
Puttygen: PuTTY Key Generator on Windows

Even though SSH is an operating system independent communication protocol, the way the SSH keys are created differ and are not always compatible cross-system.

Error loading key: invalid format

When you receive or want to use a private key, generated by Puttygen as OPENSSH key, on a Linux machine, the key itself starts with the following line:

ck@linux $ head -n 1 privatekey.ppk

Trying to load this key into ssh-agent will fail:

ck@linux $ ssh-add privatekey.ppk
Error loading key "privatekey.ppk": invalid format

We need to convert this key first into a supported type. A widely used key type is RSA.

Convert OPENSSH PPK into RSA id_rsa

To correctly convert a PuttyGen generated key, we need PuttyGen on our Linux machine. Yes, you read that right. Although the Putty tools are very well known in the Windows world, they can also be installed on Linux. On a Debian-based (such as Ubuntu or Linux Mint) machine:

ck@linux $ sudo apt install putty-tools

We can now use the puttygen command to convert the existing PuttyGen private key from OPENSSH format into a new RSA private key (with a file named id_rsa):

ck@linux $ puttygen privatekey.ppk -o id_rsa -O private-openssh
Enter passphrase to load key: ***********

The private key was encoded (protected) with a passphrase, so this passphrase needs to be entered to convert the private key.

Taking a closer look at the newly created id_rsa file shows it's now a valid RSA PRIVATE KEY:

ck@linux $ head -n 5 id_rsa 
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,2AE70D995BD60026


Using the RSA key

As seen above, trying to load the OPENSSH PPK key into ssh-agent (using ssh-add) wouldn't work. But now using the converted RSA key, this finally works:

ck@linux $ ssh-add id_rsa
Enter passphrase for id_rsa: ***********
Identity added: id_rsa (id_rsa)

Of course we can use the private key as identity file directly, without using ssh-agent in the background:

ck@linux $ ssh -i id_rsa -l myuser

This of course also works for other SSH related commands, such as sftp or scp:

ck@linux $ sftp -i id_rsa
Connected to
Claudio Kuenzler
Claudio has been writing way over 1000 articles on his own blog since 2008 already. He is fascinated by technology, especially Open Source Software. As a Senior Systems Engineer he has seen and solved a lot of problems - and writes about them.

You may also like

Leave a reply

Your email address will not be published. Required fields are marked *

More in:Linux