How to name openssh public and private key pairs?

Solution 1:

First off, there really is no official convention for naming keys. They filenames don't matter. They are only important to you, who has to manage them. The software is only concerned with the content of files.

That being said, OpenSSH key files are just text files, so you could name them with a .txt extension.

I typically just stick with the convention that the ssh-keygen tool uses, which is id_{key_algorithm}(ie. id_rsa or id_dsa) for the private key and then the private key name + .pub for the public key (id_rsa.pub or id_dsa.pub). If I need to keep multiple keys I will add an additional identifier to the end of the name so I would get names like id_rsa_myhost and id_rsa_myhost.pub.

Solution 2:

So I thought about some naming concepts and ended up like this now. I know there is no convention except for .ppk (PuTTy Private Key) in PuTTy - so this is not a "You have to do it like this", it's rather an idea how a naming concept could look like. So I thought to share it with you anyways - maybe it helps someone at least to build his own concept.

What I want / don't want

  • I want to use OpenSSH and PuTTy keypairs
  • I want the keys to be immediately identifiable and not be able to get mixed up - therefore I want to identify
    • the algorithm
    • if it's a private or a public key
    • if it's OpenSSH or PuTTy format
  • I want the name to be Windows and Unix "compatible/compliant" (e.g. I don't want spaces in Linux - even if it's no offical policy)
  • I don't want to change all keys on all servers, if whatever (maybe some sort of security issue) happens, so I may
    • don't want to use the same keypair for several servers
    • want to use a keypair for only one purpose (purpose could be a user, a service or a task for example)

The name therefore should contain the following information:

  • Purposal information if it's (username or taskname for example)
  • The servername, if it's a server specific key
  • The algorithm
  • Is it a private or public key?
  • Is it OpenSSH or PuTTy format?

A possible name scheme

As heavyd mentioned, I think it's really an good idea to stick to the syntax of the ssh-keygen tool. So I use this (except for the .pub for public keys, because this file extension is used by Microsoft Publisher and could be interpreted wrong on Windows Systems - there is also an own icon for MS Publisher) and combine it with the convention of PuTTy (.ppk) and the conditions above. Therefore a possible name scheme could be:

id_<key_algorithm>_<servername>_<purpose>.<format_information>

With the following rules:

  • If it's not for a specific server, remove <servername>
  • If it's not for a specific purpose, remove <purpose>
  • At least one of the information (<purpose> or <servername>) has to be contained in the name

The format information (OpenSSH/PuTTy and private/public)

PuTTy uses .ppk for private keys and the ssh-keygen tool comes with .pub for public keys here, which I don't want to use because of MS Publisher. Therefore I stick to PuTTys .ppk, differ just a little bit from ssh-keygens .pub and use both "conventions" as basis to build the others close to this names. So this information is added as "file extension":

Name of OpenSSH private key:  .pk        an alternative could be .opk or   .ospk
Name of OpenSSH public key:   .pubk      an alternative could be .opubk or .ospubk
Name of PuTTY private key:    .ppk
Name of PuTTy Public Key:     .ppubk

Some examples:

id_rsa_foo_bar.ppk
id_dsa_foo.pk

id_rsa_server01_rsync.pk
id_rsa_server01_rsync.pubk
id_rsa_server01_rsync.ppk
id_rsa_server01_rsync.ppubk