Avatar for Leon Mika
Leon Mika
Software engineer in Melbourne, Australia.

SSH Invalid Private Key Format Errors

Reading Time: 2 minutes

Long Form Posts

Oof! I just spun my wheels for a couple of hours trying to get SSH to recognise a private key. I had a CI/CD workflow that needed to log into an remote host via SSH to deploy something. This uses a secret containing a ECDSA private key, encoded as a PEM file, with the section header OPENSSH PRIVATE KEY. Example:

-----BEGIN OPENSSH PRIVATE KEY-----
xxxxx
xxxxx
-----END OPENSSH PRIVATE KEY-----

When I tried using this key though, I was getting various SSH errors. The issue was either that the version of my SSH client was too old or that ~/.ssh/id_ecdsa didn’t end with a newline. I suspect it was both, as I was seeing the following error prior to upgrading the version of SSH:

2026/06/16 21:20:50  .. [exec] ssh dokku@example.com version
Warning: Permanently added 'example.com,1.2.3.4' (ECDSA) to the list of known hosts.
Load key "/root/.ssh/id_ecdsa": invalid format
Permission denied, please try again.
Permission denied, please try again.
dokku@example.com: Permission denied (publickey,password).

This was on a CI/CD runner using the Docker image node:20-bullseye, which is quite a bit older than the machine I generated the key on. Upgrading the docker image to node:24-trixie changed the error to this:

2026/06/16 22:39:57  .. [exec] ssh dokku@example.com version
Warning: Permanently added 'example.com' (ED25519) to the list of known hosts.
Load key "/root/.ssh/id_ecdsa": error in libcrypto
Permission denied, please try again.
Permission denied, please try again.
dokku@example.com: Permission denied (publickey,password).

For a moment I thought the PEM section had to be “RSA private key” but it turns out the section header was right. What wasn’t right was that the trailing newline character was missing. I modified the CI/CD pipeline to add it in and the SSH connection work.

This was one of those cases where there was nothing online which described this particular issue. Doing web searches with the exact error message yielded zero hits in both DuckDuckGo and Google: I had to get ChatGPT to help me out.

So for anyone else who encounters this, if you know that the private key was generated properly, and is a PEM with the section header OPENSSH PRIVATE KEY, try the following:

  • If you see a Load key "/root/.ssh/id_ecdsa": invalid format , or likewise for an RSA key, the version of SSH you’re using might be out of date. Try updating it or upgrading the version of Linux.
  • If you see a Load key "/root/.ssh/id_ecdsa": error in libcrypto, you may have a missing newline (or potentially too many newlines). Strip all leading and trailing whitespace back and add a trailing newline.