Paramiko RSAKey "private key file is encrypted"

I'm trying to use Paramiko to connect to an SFTP site.

"paramiko": {
            "hashes": [
            "index": "pypi",
            "version": "==3.0.0"

I have a .pem file in the form

data for the key

Worth mentioning that the key is encrypted with a passphrase.

I attempt to load the key file, providing the password and that works fine

# Works great :)
mykey = paramiko.RSAKey.from_private_key_file(key_file_path, password=password)

# this explodes
self.ssh_client.connect(hostname=settings.ftp_host, username=username, pkey=mykey, port=22)
self.ftp = self.ssh_client.open_sftp()

paramiko.ssh_exception.PasswordRequiredException: private key file is encrypted

If I change the connect to

self.ssh_client.connect(hostname=settings.ftp_host, username=username, pkey=mykey, port=22, passphrase=password)

paramiko.ssh_exception.SSHException: OpenSSH private key file checkints do not match

And if I try to use key_filename instead of pkey

self.ssh_client.connect(hostname=settings.ftp_host, username=username, key_filename=key_file_path, port=22, passphrase=password)

ValueError: q must be exactly 160, 224, or 256 bits long

I am able to successfully connect to the SFTP with this key using FileZilla I'm just not sure what I'm doing wrong in Paramiko.


  • Figured this out today.

    I setup Paramiko's logging and saw that it was defaulting to try to use 'rsa-sha2-512'

    2023-02-16 10:01:46 - DEBUG - - paramiko.transport -                 _log() - Our pubkey algorithm list: ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-rsa']
    2023-02-16 10:01:46 - DEBUG - - paramiko.transport -                 _log() - Server did not send a server-sig-algs list; defaulting to our first preferred algo ('rsa-sha2-512')

    Disabling 'rsa-sha2-512' and 'rsa-sha2-256' so Paramiko was forced to use 'ssh-rsa' fixes the issue.

    self.ssh_client.connect(hostname=settings.ftp_host, username=username, pkey=mykey, disabled_algorithms=dict(pubkeys=["rsa-sha2-512", "rsa-sha2-256"]))