Can the server keys be generated using ssh-keygen?

[C-Duv]

I know I can manually generate a server key pair (private and public) using:

/usr/bin/rustdesk-utils genkeypair

or, using Docker:

docker run --rm --entrypoint /usr/bin/rustdesk-utils  rustdesk/rustdesk-server-s6:latest genkeypair

But is it possible to generate one using ssh-keygen, openssl or any other standard Linux tool?

ssh-keygen -t ed25519 -C "rustdeskserver_key" -N "" -m pem -f "rustdeskserver_key_filepath"

This would allow an easier server provisioning/configuration.

[paspo]

rustdesk uses this function to generate an ed25519 keypair.

rustdesk-server/src/utils.rs

Lines 27 to 33 in 4240c47

	fn gen_keypair() {
	let (pk, sk) = sign::gen_keypair();
	let public_key = base64::encode(pk);
	let secret_key = base64::encode(sk);
	println!("Public Key: {public_key}");
	println!("Secret Key: {secret_key}");
	}

I don't know a way for openssl to handle keys generated by ssh-keygen.
What exactly is your goal?
How many times do you expect to deploy rustdesk-server?

If you need some automation, you can always propose a PR to handle the output of rustdesk-utils genkeypair in json, or to separate the secret key generation from the public key (which can be derived from the secret key).

[C-Duv]

My goal is to provision a RustDesk server (using Ansible) and be able to reproduce it number of time if necessary.

The keypair would be generated by an operator (not on the RustDesk server computer), stored in a vault and accessed by Ansible when needed.
But I could easily imagine the future need of rotating key so keypair generation would be done automatically.

That's where a more broadly available standard tool such as ssh-keygen, openssl would come in handy (in place of rustdesk-utils that requires it or Docker to be installed).

I know rustdesk-utils genkeypair produce keys of 88 and 44 characters but any ssh-keygen -t ed25519 is way longer: what I am missing?

[paspo]

First of all, the files used by rustdesk contains only a base64 representation of the keys while the ssh files contains more data, like a description and the format of the key.

For example:

ssh-keygen -l -f ssh_keyfile.pub

The same can be said for openssl, which can encode keys in .DER or .PEM format.

rustdesk-server needs the key data only, simple as that.

[C-Duv]

OK, so something like the following should produce a RustDesk valid ed25519 private key?

openssl genpkey -algorithm ed25519 -out - | grep -v 'PRIVATE KEY-----' | base64 -w0

I still get "Invalid private key length" error when trying to set it on the web console.

[paspo]

the PEM format identifies a way to transfer cryptographic keys by encoding the binary data in base64 and encapsulating this content between a header and a matching footer. The originating binary data is a serialized data structure; the PEM format is totally agnostic in this regard.
The similar DER format contains only the serialized data structure in binary format. In fact, if you base64-decode a PEM file, you obtain a DER file.

The concept I'm somewhat failing to deliver is that the rustdesk secret key file contains only a key while an ssh identity file and an openssl private key contains a data structure composed by the secret key and extra information.

[paspo]

If you don't want to alter the source code of rustdesk-utils to add json output, tou can always grep it:

{ read -r PK ; read -r SK ; } < <(rustdesk-utils genkeypair | sed 's/^.*Key:\ \ //' )

{ read -r PK ; read -r SK ; } < <(docker run --rm --entrypoint /usr/bin/rustdesk-utils  rustdesk/rustdesk-server-s6:latest genkeypair | sed 's/^.*Key:\ \ //' )

echo $SK # returns 0I8dZl7M9N4JJFJBDrWWFTm1vZCCojK2UQu6Noj6A4il64p0P99i2fYsucOB67QpfeKPXMXxdneCHg49sDvr1Q==
echo $PK # returns peuKdD/fYtn2LLnDgeu0KX3ij1zF8XZ3gh4OPbA769U=

[reox]

I wondered about the keys too and how you could create them. I think the important information that is missing here is, that the private key actually contains the public key.
For example:

$ rustdesk-utils genkeypair
Public Key:  Haa33UK321Q8P2JEdfAp7JfEzXMYfL82iUzmLq9hA3c=                                                                  
Secret Key:  cuHdOxnASB0BbrsVYel9KVS6v29OqT6zhINJdTb1kOsdprfdQrfbVDw/YkR18Cnsl8TNcxh8vzaJTOYur2EDdw==

from base64 import b64decode
priv = b64decode("cuHdOxnASB0BbrsVYel9KVS6v29OqT6zhINJdTb1kOsdprfdQrfbVDw/YkR18Cnsl8TNcxh8vzaJTOYur2EDdw==")
pub = b64decode("Haa33UK321Q8P2JEdfAp7JfEzXMYfL82iUzmLq9hA3c=")

priv.endswith(pub)  # gives True

In the format that is used by Sodium, the first 32 byte are the actual private key, while the second 32 byte are just a copy of the public key.

Not sure if you can use openssl for that now, but the information is basically there:

$ openssl genpkey -algorithm ed25519 -text -out -
-----BEGIN PRIVATE KEY-----                                                                                                
MC4CAQAwBQYDK2VwBCIEIPzjVH5z6h5GX3fv0IyxydJTrIcX3gykYomlchFPfT6b
-----END PRIVATE KEY-----                                                                                                                                                                                                                              
ED25519 Private-Key:                            
priv:                                                                                                                                                                                                                                                  
    fc:e3:54:7e:73:ea:1e:46:5f:77:ef:d0:8c:b1:c9:
    d2:53:ac:87:17:de:0c:a4:62:89:a5:72:11:4f:7d:                                                                          
    3e:9b                                        
pub:                                                                                                                       
    d5:c3:01:e5:2f:df:53:09:5a:93:69:db:d3:9c:52: 
    7c:bb:d3:b9:de:c4:18:7f:e5:1e:c9:87:72:0a:50:                                                                                                                                                                                                      
    8e:44                                        

So here is my unpolished PoC code:

#!/bin/bash
KEY=$(openssl genpkey -algorithm ed25519 -text -out -)

PRIV=$(sed -n '/^priv:/,/^pub:/p' <<< "$KEY" | sed '1d;$d' | tr -d ':\n ')
PUB=$(sed -n '/^pub:/,$p' <<< "$KEY" | sed '1d' | tr -d ':\n ')

PRIVATEB64=$(echo $PRIV$PUB | xxd -r -p | base64 -w 0)
PUBLICB64=$(echo $PUB | xxd -r -p | base64 -w 0)

echo "Public Key:  $PUBLICB64"
echo "Secret Key:  $PRIVATEB64"

Demo:

$ gen_keys.sh
Public Key:  QTEN1NKtEB2BYtQhDumMB5mXDgsa9u8TAlBkjHIPdEE=
Secret Key:  QDt1VBcIogzi7ojjZ5nWejpsFvDcOW9ZCv7KiqI9qrNBMQ3U0q0QHYFi1CEO6YwHmZcOCxr27xMCUGSMcg90QQ==
$ rustdesk-utils validatekeypair QTEN1NKtEB2BYtQhDumMB5mXDgsa9u8TAlBkjHIPdEE= QDt1VBcIogzi7ojjZ5nWejpsFvDcOW9ZCv7KiqI9qrNBMQ3U0q0QHYFi1CEO6YwHmZcOCxr27xMCUGSMcg90QQ==
Key pair is VALID