SSH key generation supported features
The following table shows support in Venafi SSH Protect for the various key algorithms.
You can use the search box to filter the table contents.
| Algorithm | Key size/curve for discovery |
Key size/curve for key generation |
Format for on-board discovery |
Format for provisioning |
Supported Features | ||
|---|---|---|---|---|---|---|---|
| On-board discovery | Network discovery | KeyGen and Provisioning |
|||||
| RSA | Any size | 1024, 2048, 4096 | OpenSSH Native, PEM (PKCS#1), PuTTY, Tectia | PEM (PKCS#1), PuTTY, Tectia |
|
|
|
| ECDSA | P256, P384, P521 | P256, P384, P521 | OpenSSH Native, PEM (SEC 1), PuTTY, Tectia | PEM (SEC 1), PuTTY |
|
|
|
| EdDSA | Ed25519 | Ed25519 | PuTTY, OpenSSH Native | PuTTY, OpenSSH Native |
|
|
|
| DSA | Any size | not applicable | OpenSSH Native, PuTTY, Tectia | not applicable |
|
|
|
Important Notes
-
About PuTTY private keys version 3, or PPK3: this format uses Argon2 as the hash algorithm for the password. In addition, the hash for the MAC has been changed from SHA-1 to SHA-256.
-
When SSH Protect generates new keys, they are provisioned in PEM format.
-
Missing or broken SSH keys are restored by SSH Protect in PEM format.
-
The chart above is intended to show you what SSH Protect supports as of this release, and assumes your Server Agents are upgraded to the current release as well.
-
The server agent must be upgraded to version 20.4 or later to recognize OpenSSH keys of any algorithm. That means if your Venafi Platform server is on 25.1, but an agent is still running 20.3, that agent won't be able to discover keys in OpenSSH format.
Related Topics