Skip to content

Add SSH key fields for lossless encrypted PEM storage and optional passphrase #6232

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add SSH key fields for lossless encrypted PEM storage and optional passphrase #6232

wants to merge 1 commit into from

Conversation

OrionCodeDev
Copy link

@OrionCodeDev OrionCodeDev commented Aug 22, 2025
edited
Loading

Summary
Extends the server SSH key models and request mapping to persist original encrypted PEM and optional passphrase fields, enabling clients to preserve exact imports and decrypt on-demand for agent use.

Linked PRs needed to work for this changes:

Linked Issue

Changes

  • Core model
    • src/Core/Vault/Models/Data/CipherSSHKeyData.cs
      • Added OriginalPrivateKey, IsEncrypted, SshKeyPassphrase.
  • API model
    • src/Api/Vault/Models/CipherSSHKeyModel.cs
      • Added [EncryptedString] OriginalPrivateKey, IsEncrypted, SshKeyPassphrase.
      • Constructor maps from CipherSSHKeyData.
  • Request mapping
    • src/Api/Vault/Models/Request/CipherRequestModel.cs
      • ToCipherSSHKeyData() now assigns:
        • OriginalPrivateKey, IsEncrypted, SshKeyPassphrase from request model when provided.

Backwards Compatibility

  • Optional fields; no service-level breaking change.
  • Existing clients not sending these fields remain supported.

Security Considerations

  • All new fields are encrypted strings at rest, consistent with existing cipher data protections.

Testing

  • API: Create/Update SSH key cipher including OriginalPrivateKey and SshKeyPassphrase; verify round-trip persistence.
  • Ensure existing create/update flows still pass with minimal payloads (backward compatibility).

Release Notes

  • Add server support for preserving encrypted SSH private key PEM and optional passphrase on SSH key items.

General Notes

Why this fixes the bug

  • Clients now retain the original encrypted PEM that was imported. Copy/export from the item reproduces the exact input (including encryption header), avoiding mismatches with SSH tooling.
  • The agent decrypts in memory for use; the vault never stores plaintext.

Rollout

  • Order: server → sdk-internal → clients.
  • Mixed-version environments remain functional; new fields are optional.

Follow-ups (optional)

  • Prompt passphrase on agent use when it isn’t stored, then decrypt transiently and proceed (without saving).
  • Consider deriving IsEncrypted on the server from OriginalPrivateKey header, if desired, and removing reliance on client-provided IsEncrypted entirely.
  • Expand automated tests for PKCS#8 encrypted flow; add end-to-end agent test.

This was referenced Aug 22, 2025
Open
Open
@OrionCodeDev OrionCodeDev marked this pull request as ready for review August 22, 2025 02:38
@OrionCodeDev OrionCodeDev requested a review from a team as a code owner August 22, 2025 02:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nick-livefront nick-livefront Awaiting requested review from nick-livefront nick-livefront is a code owner automatically assigned from bitwarden/team-vault-dev

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@OrionCodeDev