Export Private Keys

[CMDRZOD]

Is your feature request related to a problem? Please describe.

I'm always frustrated when..... SWITCHING PHONES. In the end I resort to removing password protection, copying private key, sending it through my email, copying on a pc to a txt file, then copying back to new phone. This is insecure and time consuming, and FRUSTRATING.

Describe the solution you'd like

Solution: Ability to backup Private keys to a .zip or similar type of file that android recognizes so I don't have to battle to get access to my servers again.

Describe alternatives you've considered

A QR code to be read by new phone would also be nice.

Additional context

It's 2021 time to make a way to backup SSH keys so it is easy to switch phones. Use the phone authentication and even 2FA with Authenticator I don't care I'm just tired of doing this every 6 months.

[mgkuhn]

Under Settings / Backup pubkeys it says “Keep back-ups of the private keys using Android’s backup mechanism”. The heading of that switch may seem wrong (it should perhaps say “Backup privkeys”), but does this existing feature not solve your use case much more easily?

[mgkuhn]

You can already go to Manage Pubkeys / long-press your key / Copy private key and then paste that into e.g. an email or messaging or editor app of your choice to export your private key.

[RomneyYW]

You can't copy the private key if the key has a password (and surely all keys should have a password?), the menu option in Manage Public Keys is greyed out.

I'm a bit wary of using the Android backup mechanism - where are the keys backed up (locally on my device, or on a cloud server?) and how do you restore the backup to a fresh installation on a new device....? Or perhaps use the same key with other apps on the same device.

[VA1DER]

Copy private key and then paste that

Copy private key doesn't work. connectbot can't import an ed25519 key that has been copied and saved. The copied key looks far too small. Only 126 bytes. Should be ~400.

It looks like the pub key wrapped in priv key encoding.

[sppmasterspp]

Copy private key and then paste that

Copy private key doesn't work. connectbot can't import an ed25519 key that has been copied and saved. The copied key looks far too small. Only 126 bytes. Should be ~400.

It looks like the pub key wrapped in priv key encoding.

Doesn't work for me either. Isn't it time for this to be fixed? What is the point of not being able to save private password protected key. It is very inconvenient to generate new key when someone happen to change their smartphone.
Additionally it seems that Connect Bot doesn't recognize private keys generated by PuTTY Key Generator which is another nonsense. This way I cannot ssh to my OpenWrt devices that use keys generated by PuTTY.

[swiffer]

Copy private key and then paste that

Copy private key doesn't work. connectbot can't import an ed25519 key that has been copied and saved. The copied key looks far too small. Only 126 bytes. Should be ~400.

It looks like the pub key wrapped in priv key encoding.

seems to be an issue for quite some time #723 / #686

[Roan-V]

So as far as I'm understanding the "copy private key" button is supossed to be greyed out, even after unlocking the key?

I'd like to copy the private key so that I can use it in a seperate sftp app on the same device

[VA1DER]

"copy private key" button is supossed to be greyed out, even after unlocking the key?

No. It's supposed to put the private key in the clipboard. Instead it puts the public key in the clipboard and wraps it so that it looks like a private key. It's a very long-standing bug, and nothing we do seems to get the attention of the developers.

It has also been reported here: #723

[Roan-V]

In my case I can't even manage to copy it, the button stays grayed out even after unlocking the key

[pierotofy]

You can long-press and select "Change Password" and set the password to blank, then you can export the private key.

[VA1DER]

export the private key

There is no export private key option. There is only "copy private key". And this function, at least for ed25519 keys (I don't use other types), doesn't work. The key you get is not an actual private key.

[RomneyYW]

Yes, you can export/copy both private and public keys, provided that the key has no password (I.e. if it is unencrypted). But it doesn't seem to me to be a very good idea to use unencrypted keys.....Also, I have no idea what is actually exported/copied. It has been suggested elsewhere that the exported/copied keys do not have the correct contents.ConnectBot should be able to export both public and private keys correctly, regardless of whether or not the keys are encrypted. And also be able to handle keys in all 4 of the formats (RSA, DSA, EC, ED25519) which are offered, or failing that, it should be clear which key formats are supported, and non-supported formats should not be offered. It shouldn't be this difficult. It's a pity really, because otherwise ConnectBot is a great piece of software which I use on an almost daily basis..... -------- Original message --------From: Piero Toffanin ***@***.***> Date: 03/05/2023 19:53 (GMT+00:00) To: connectbot/connectbot ***@***.***> Cc: RomneyYW ***@***.***>, Comment ***@***.***> Subject: Re: [connectbot/connectbot] Export Private Keys (#968) You can long-press and select "Change Password" and set the password to blank, then you can export the private key. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: ***@***.***>

[starbuck3000]

I think it's actually the intended mechanism. The app is somehow behaving like a low-cost enclave and is doing what it can to prevent accidental export or misuse of the key export mechanism. Private keys are never supposed to leave the system they originate from, and even more, moving them across platforms reflects very bad design.

There are four use cases we can imagine why users try to export the keys:

1. They are lazy: they should create a new keypair on the new device.
2. They are ignorant: they are trying to export the private key instead of the public key (e.g., the typical "I need to copy the key in my authorized_keys openssh file").
3. The service has some strict limitation that prevents the renewal or rotation of a key.
4. The user wants to backup the key in the case that the key needs to device needs to be reinstalled.

Let's address each scenario in the original order:

1. Lazy user : please generate a new keypair on your new device and stop trying to bypass a fundamental requirement to not move a private key across your systems.
2. Ignorant user : it seems you are trying to export the private key. You should never need to export a private key unless you are building a disaster recovery mechanism (if that's the case, go to 4). In the case you are setting up a connection to a service, then you should be looking to export your public key, not your private key. This happens to all of us, don't worry. The app is protecting you from doing this error.
3. User of a non-standard/limited/restricted service: You are not the intended audience for Connectbot.
4. Disaster recovery planner: you can enable the Android backup mechanism in the options. This will ensure you recover your keys when restoring your device data.

[Roan-V]

My personal usecase is setting up another connection on the same device (currently using JuiceSSH to do this instead)
Specifically to mount a fileshare

1. Setup SSH connection with SSH app
2. Export private key (does NOT leave the device!)
3. Import private key into file explorer (in my case fx file explorer)
4. Setup SSH fileshare in the file explorer

[VA1DER]

I think it's actually the intended mechanism.

The idea that when you long-tap a key in ConnectBot and select the "Copy private key" item from the context menu that appears that it is intended behaviour that it then gives you the wrong data is ludicrous on its face.

There are four...

There are innumerable use cases for access to private keys, use cases that are in very wide use in the wild, any number of them perfectly valid.

Let's address each scenario in the original order:
---- 8< <snip> ---- specious "reasoning" omitted ---- </snip> >8 ----

Let's not. How about you simply name another secure shell implementation anywhere that denies the user access their own private keys.

My personal usecase is

@Roan-V you don't need to justify your use case. This issue is simply a very long-standing bug in ConnectBot. My suggestion is simply to use something else other than ConnectBot to generate your key pair. ConnectBot can properly import a private key from elsewhere. It just cannot currently export one that it creates. I generate my keys with OpenSSH and then sneaker-net them onto my device with an OTG USB stick. You can reuse the same key for other apps on the device as you see fit and as your security model allows.

[LeSpocky]

4. Disaster recovery planner: you can enable the Android backup mechanism in the options. This will ensure you recover your keys when restoring your device data.

Combined with an encrypted backup (e.g. seedvault in lineageos) this is actually the most useful information in this ticket. Thanks.

[CyberPuffer]

After some digging, I solved the problem. The ConnectBot is actually exported the private key, but in the original ASN.1 format. OpenSSH only recognize RSA key in this format but not the new ed25519 ones. For the ed25519 keys, OpenSSH only recognize private keys in its own format. So you have to convert format by yourself.

The top answer from the StackExchange offered a way to do the conversion:

https://security.stackexchange.com/questions/267711

First save the copied private key in a pem file

$ cat ed25519.pem
-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEID+U9VakauO4Fsv4b/znpDHcdYg74U68siZjnWLPn7Q1
-----END PRIVATE KEY-----

Then use the sshpk tool from npm

$ npm install -g sshpk
$ sshpk-conv ed25519.pem -t ssh -p
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACDQiCIk4t4YPC6bOSb7CLzac/vC+ZudqhYqY00cxqr8zAAAAJAyR1o6Mkda
OgAAAAtzc2gtZWQyNTUxOQAAACDQiCIk4t4YPC6bOSb7CLzac/vC+ZudqhYqY00cxqr8zA
AAAEA/lPVWpGrjuBbL+G/856Qx3HWIO+FOvLImY51iz5+0NdCIIiTi3hg8Lps5JvsIvNpz
+8L5m52qFipjTRzGqvzMAAAAC2VkMjU1MTkucGVtAQI=
-----END OPENSSH PRIVATE KEY-----

And now you got your private key back.

[woodenshoe-wi]

I ran into problems trying to import a RSA key that I had generated in ConnectBot on another device and it turned out that somehow I had NULL bytes in between -----BEGIN PRIVATE KEY----- and the key data.

It might have had something to do with how I was transferring the key data, but it would be nice if ConnectBot could save the key as a file and "share" it with whatever app you want to use to transfer files. I don't know if there are license issues with using Quick Share, but it would be nice if possible.

Also, it would be nice to be able to rename the imported keys in ConnectBot. Depending on where the file was I either get "primary:<path and filename>" or "msf:<ten digit number>".