Rebex SFTP

SFTP and SCP client .NET library

Download 30-day free trial Buy from $349
More .NET libraries

Back to feature list...

Private keys

Loading and saving SSH keys 

When an SFTP/SSH connection is established, the server identity is verified by checking the server's public key. Optionally, the client can even use a public/private key pair to log into the server (public/private key authentication).

In Rebex SFTP, public keys are represented by SshPublicKey object and private keys by SshPrivateKey object. SshPrivateKey supports several private key formats: PKCS #8, OpenSSH/OpenSSL and PuTTY .ppk.

In addition to loading and saving, SshPrivateKey object can generate private/public key pairs.

// loading a private key (works for all formats)
var privateKey = new SshPrivateKey("my_key.ppk", "key_password");

// saving a private key (in the specified format)
privateKey.Save("my_key.pri", "key_password", SshPrivateKeyFormat.OpenSsh);

// authenticating with a private key
sftp.Login(username, privateKey);
' loading a private key (works for all formats)
Dim privateKey As New SshPrivateKey("my_key.ppk", "key_password")

' saving a private key (in the specified format)
privateKey.Save("mykey.pri", "key_password", SshPrivateKeyFormat.OpenSsh)

' authenticating with a private key
sftp.Login(username, privateKey)

PKCS #8 keys 

RFC 5208 (PKCS #8) defines a private key format informally known as PKCS #8 key format. It supports several encryption algorithms (3DES is used by default). To save keys using this format, specify SshPrivateKeyFormat.Pkcs8 when calling SshPrivateKey.Save.

Sample of encrypted private key in Base64-encoded PKCS #8 format:

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI5yNCu9T5SnsCAggA
MBQGCCqGSIb3DQMHBAhJISTgOAxtYwSCAWDXK/a1lxHIbRZHud1tfRMR4ROqkmr4
kVGAnfqTyGptZUt3ZtBgrYlFAaZ1z0wxnhmhn3KIbqebI4w0cIL/3tmQ6eBD1Ad1
nSEjUxZCuzTkimXQ88wZLzIS9KHc8GhINiUu5rKWbyvWA13Ykc0w65Ot5MSw3cQc
w1LEDJjTculyDcRQgiRfKH5376qTzukileeTrNebNq+wbhY1kEPAHojercB7d10E
+QcbjJX1Tb1Zangom1qH9t/pepmV0Hn4EMzDs6DS2SWTffTddTY4dQzvksmLkP+J
i8hkFIZwUkWpT9/k7MeklgtTiy0lR/Jj9CxAIQVxP8alLWbIqwCNRApleSmqtitt
Z+NdsuNeTm3iUaPGYSw237tjLyVE6pr0EJqLv7VUClvJvBnH2qhQEtWYB9gvE1dS
BioGu40pXVfjiLqhEKVVVEoHpI32oMkojhCGJs8Oow4bAxkzQFCtuWB1
-----END ENCRYPTED PRIVATE KEY-----

Sample of unencrypted private key in Base64-encoded PKCS #8 format:

-----BEGIN PRIVATE KEY-----
MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEA0SC5BIYpanOv6wSm
dHVVMRa+6iw/0aJpT9/LKcZ0XYQ43P9Vwn8c46MDvFJ+Uy41FwbxT+QpXBoLlp8D
sJY/dQIDAQABAkAesoL2GwtxSNIF2YTli2OZ9RDJJv2nNAPpaZxU4YCrST1AXGPB
tFm0LjYDDlGJ448syKRpdypAyCR2LidwrVRxAiEA+YU5Zv7bOwODCsmtQtIfBfhu
6SMBGMDijK7OYfTtjQsCIQDWjvly6b6doVMdNjqqTsnA8J1ShjSb8bFXkMels941
fwIhAL4Rr7I3PMRtXmrfSa325U7k+Yd59KHofCpyFiAkNLgVAiB8JdR+wnOSQAOY
loVRgC9LXa6aTp9oUGxeD58F6VK9PwIhAIDhSxkrIatXw+dxelt8DY0bEdDbYzky
r9nicR5wDy2W
-----END PRIVATE KEY-----

PuTTY .ppk keys 

This key format is used by PuTTY SSH client and utilities and by many PuTTY-derived third-party applications such as WinSCP or FileZilla Client. To save keys using this format, specify SshPrivateKeyFormat.Putty (for PPK v2) or SshPrivateKeyFormat.PPK3.

Sample of private key in PPKv2 format:

PuTTY-User-Key-File-2: ssh-rsa
Encryption: aes256-cbc
Comment: ssh-rsa-key-20130321
Public-Lines: 4
AAAAB3NzaC1yc2EAAAADAQABAAAAgQCdcXVZbOo81pToHiqMQgeosK80OXd8uxmC
514Mbp3VHL7eUshv9DlZ/Kc6vCpbkPLnkezLzy4QF9wQCiCem3+KFNbvgQ32R1vd
ztguAIqrzzpoFjq2CPlyy7EuwmbI6k0xvcfAeU29MgnPk9/mkFFhW5084+9dwhz1
7BluYdJIEQ==
Private-Lines: 8
FyXPkB7XlUE2y9WP7wGqmSwMo5RUdoqRbJGkHzMrpMlOOw5KA8QaxiOGixcDYuH4
8gTO4d8grFHcbRgZ7aJUycTdQxrPm8cey1EPUqLP9u3aCZYAqIMhUs5hsq7ujsq9
sK+jfTfY5N4ukYP2DumBreRPgKAE4W+gh/j//pnlJGJDEn32SOaRkiLoy1DB3VZ8
Nv8BPEAKV5ILKwef66KkN9FXPmEz3XQljEDcLNmzUTYypBQZqlYKze6V2cbZRZgi
7IYFV6ZGX8PMFnpSzwzoYfWXp9KQk1kmSqZNqBZ8IRt0KSSBAu5arKuZAI/MFQPU
dwXyuZGt+4sP7pkE/1FuaMb8RENEyNcw/9mPKaJEcZuhtSqcwwZrXAULvca6BpdT
hQwLIkovPa19ZA+miqfZvjo6UUnQyEfMe4biCesl11c/PWGf4BcgbVogQ+oXu7Gh
iF1IoAoF/wqj0fiWX152wg==
Private-MAC: bf45cca7382e573717004e328c08a9ac49f3ecf2

OpenSSH/OpenSSL (SSLeay) keys 

SSLeay key format is used by OpenSSH and OpenSSL suites for storing encrypted RSA and DSA keys. To save keys using this format, specify SshPrivateKeyFormat.OpenSsh when calling SshPrivateKey.Save.

A sample of a private key in OpenSSH format:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,393C44619C5B62FB
g7l6jpFKUWqiU+7wvS+CRCpYygAchVIJTHmR9mTQwxQD6XUMMBfmLO+K6EgBGOt6
HxqTxQsAIAYtHQD370qQVC9aKF4Du2TkMiAlAiET6lyw7yEZeipkY46lJm74SvFJ
xo3dLERKJBcDfNDoBJK/zjJN9I2zfUT2DgPodJwzWCfnk4g+/wWD6wNOSGM57XjR
POQi4kJWI8zxX6v2REhybrfWwFxFaTpxMausotKa9R0hC+169DXGjnfXMPg6va6d
MUVPHKhoNzUInRWA1FPF+Vt9z5X2jQMGf4AJN7W65QE7Q0Boao+aOERKDVTzP1Ff
tRL6X0+BgXMjetqKGP0tJydiAVuP6vXEy1n8YrehUJSqNHJXT23o6kry/s7tMqzo
ke96suSNyQKmPPjFq4MKe+v+/9mQzA4UUcVWgCi2dqZxPhNsAzBXTyIrnFcPykOY
QPmdLMjpxeavbj8F5qZ8pREqDw+WpL8onI64udLFL3kjN5tCC9l3wHKDUJd6Q9y9
5gTKBnVcCRNvlKuLXbb7O5Z1hYKhpdqVJv8pLAhg2/BtTthseV8MjMnLEnbW6nSP
SPLlev76vk/QK6PIR9hQrJGrzXJDvcYEpXJ2YBcgvEIbKR/eFAsPeM4Gin00M6Rj
cDSO6p2ymxpiZ4AdDvgjkTkAx7ZXkxwrr7rRTOgyZZvuY/CpJbW4gs9a+zej5U77
RtWIHj+XZWvTQDPX5VcqDtE/C/bcsM9OQB019rkEcgDjKDtu9uWfDscSCxzMwfCi
xHrpJwudVCF3M6WAvfuB0SLc6UCBALHbln2SksaC+7teUwJP9XD8hg==
-----END RSA PRIVATE KEY-----

New OpenSSH keys 

New OpenSSH format is used by OpenSSH for storing encrypted or unencrypted ECDSA and Ed25519 keys, although it supports other key algorithms as well. To save keys using this format, specify SshPrivateKeyFormat.NewOpenSsh when calling SshPrivateKey.Save.

A sample of a private key in the new OpenSSH format:

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABAxBix87d
JvVrEotmWsbAZwAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIPKKmhHgVw5SM8IH
uo2XalsMHXvDwBxA7vL+TG/CACK9AAAAkNWU8rq/ToxIgS2BXVJNJI8SI8qHehGmUGEmMI
A+w+bpKwhfWj/Z24DHXrtdPpeTbUT7KHODlBu+StJpN1vtW5kNSuMpE9fL+0GEIasIDsEY
9xD1sLtGAy0pMR6yzB3EW2OEZE8NoTCKJ0Xq18km8Uo1KG8naT2DeSEDzuHSP6NQWkJx5k
BmP6jMW98HAsSIQA==
-----END OPENSSH PRIVATE KEY----- 

Public keys 

Each SshPrivateKey object contains a corresponding public key as well. It can be saved using the PrivateKey.SavePublicKey method in one of the following formats:

  • SshPublicKeyFormat.Ssh2Raw - raw (binary) SSH2 public key format.
  • SshPublicKeyFormat.Ssh2Base64 - base64-encoded SSH2 public key format.

A sample of a public key in SSH2 base64-encoded format:

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "Saved by Rebex SSH"
AAAAB3NzaC1yc2EAAAADAQABAAAAgQCOL8eACGWoXm6kSDWiN5mfasdXyaNzMSzi
OZUbybHSPhMMrqYvtaCn2wI5GQUE6XIV4wwRPbV6OtyGcXyU/gJ6I62ugWU2s6yW
2UsiolDkKHnildC98Hli94xfSVQgavVy4/ECCdHJIn4+qTjLkkMzkvr67BjpVwbU
TjjQHipRkQ==
---- END SSH2 PUBLIC KEY ----

SSH key generation 

Pairs of private and public key (to be used for public key authentication) can be generated easily using the SshPrivateKey class:

// generate a 1024bit RSA key pair
var privateKey = SshPrivateKey.Generate(SshHostKeyAlgorithm.RSA, 1024);

// save the private key in Base64-encoded PKCS #8 format
privateKey.Save(@"C:\MyData\key_rsa.pem", "key_password", SshPrivateKeyFormat.Pkcs8);

// save the public key in Base64-encoded 'SSH2 PUBLIC KEY' format
privateKey.SavePublicKey(@"C:\MyData\key_rsa.pub", SshPublicKeyFormat.Ssh2Base64);
' generate a 1024bit RSA key pair
Dim privateKey = SshPrivateKey.Generate(SshHostKeyAlgorithm.RSA, 1024)

' save the private key in Base64-encoded PKCS #8 format
privateKey.Save("C:\MyData\key_rsa.pem", "key_password", SshPrivateKeyFormat.Pkcs8)

' save the public key in Base64-encoded 'SSH2 PUBLIC KEY' format
privateKey.SavePublicKey("C:\MyData\key_rsa.pub", SshPublicKeyFormat.Ssh2Base64)

To use the generated private key to authenticate the client to a server, you have to associate the corresponding public key with the user account at the server. For OpenSSH servers, simply add Base64-encoded public key as a single line of text to your account's ~/.ssh/authorized_keys file. For other servers, consult the server manual or ask its administrator.

Getting a public key in a format suitable for OpenSSH server:

// print the public key in OpenSSH format
byte[] rawPublicKey = privateKey.GetPublicKey();

// modify "username@hostname" to match your server login and server's hostname
Console.WriteLine("{0} username@hostname", Convert.ToBase64String(rawPublicKey));
' print the public key in OpenSSH format
Dim rawPublicKey() = privateKey.GetPublicKey()

' modify "username@hostname" to match your server login and server's hostname
Console.WriteLine("{0} username@hostname", Convert.ToBase64String(rawPublicKey))

Sample public key suitable for OpenSSH server:

AAAAB3NzaC1yc2EAAAADAQABAAAAgQCZ2qq/5TqXsRJscZrBVh+XkaYU22hl17K9nv0uqE/7VNh+dcHVjY7L/NrQMpA6jHpd5rQS/wIRqL7p+sJUyvpwz2nLiQB9emwa0zhWDXOJiM9pETcu8wqDeNrB5b7upEP4VvG/TZtP1qKtvsWfGukv/apYq61T0xS4m5sbgBsFaw== username@hostname

This is the line to be added to ~/.ssh/authorized_keys file.

Conversion between formats 

SshPrivateKey object can be used to convert one private key format to another:

// load a private key in any format (PKCS #8 or OpenSSH, for example)
var privateKey = new SshPrivateKey(@"C:\MyData\key_pkcs8.pem", "key_password");

// save the private key in PuTTY .ppk format
privateKey.Save(@"C:\MyData\my_key.ppk", "key_password", SshPrivateKeyFormat.Putty);
' load a private key in any format (PKCS #8 or OpenSSH, for example)
Dim privateKey = New SshPrivateKey("C:\MyData\key_pkcs8.pem", "key_password")

' save the private key in PuTTY .ppk format
privateKey.Save("C:\MyData\my_key.ppk", "key_password", SshPrivateKeyFormat.Putty)

Certificate-based private keys 

In addition to public key authentication, some SFTP servers (such as Rebex Buru SFTP Server, VanDyke VShell Server, Tectia SSH Server) support X.509 certificate authentication as well. See X.509 certificate authentication for more information.

AsymmetricAlgorithm-based private keys 

If you can only access your private key using .NET's RSACryptoServiceProvider, RSACng DSACryptoServiceProvider or ECDsa objects, you can pass these to SshPrivateKey constructor to make them usable for user authentication:

// create and initialize a .NET CSP object
var rsa = new RSACryptoServiceProvider();
rsa.ImportParameters(parameters);

// create a private key from the CSP object
var privateKey = new SshPrivateKey(rsa);
' create and initialize a .NET CSP object
Dim rsa As New RSACryptoServiceProvider()
rsa.ImportParameters(parameters)

' create a private key rom the CSP object
Dim privateKey As New SshPrivateKey(rsa)

This technique is useful for accessing and utilizing non-exportable private keys stored in Windows private key stores or on SmartCards.

Using keys on smart cards 

Keys on SmartCards are usually accessible using .NET's RSACryptoServiceProvider, RSACng DSACryptoServiceProvider or ECDsa objects. To utilize them for SSH authentication, use the approach described in the previous section.

If the smart card is secured by a PIN, it might possible to set the PIN programmatically to suppress the dialog window.

Back to feature list...