How to fix MikroTik SSH unable to load key file (wrong format or bad passphrase)!

Problem:

You want to import your SSH public key for passwordless login to your MikroTik router using either the terminal or WebFig/WinBox (as described in our previous post How to import SSH key to MikroTik RouterOS for passwordless login).

However, during import you see the following error message in the terminal:

unable to load key file (wrong format or bad passphrase)!

or in WebFig:

Couldn't perform action - unable to load key file (wrong format or bad passphrase)! (6)

Solution

Either you are using an elliptic curve key (which is not supported by RouterOS at the moment) or you are using a file which is not an SSH key.

The file you are uploading should look like this:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6EyAUma+shOkTZ0a6WcipSb552WmQb8hTKvDOMxQ234HXAeuJg3KeJ8WdkbOIdYuNq08xBrpjinaRGSZwDqhAiQMMz6O3yfkGpWZNO26lBQkngspJU1w6HLXR9tRtRaqbXwc1kV0KS6quj4sRaGLHKMciTjx0cVbEQrLxBXIJvRl7a6w/VukE+c9LhcRBZTrYB6Er7vGMM7VtgThzq+reFnql4kicG83NuPHjC/9Z78ehxpSekSrBYTYMuqiC1m8RW/l0mI8TtkUAU/qnTuwMXqVh0oOPGSWe4qvnbjCThRkDIEuK19CyCr5uyvZTV268SftEKaKOB7wcjevZlR11 uli@uli-desktop

The most important aspect is that it needs to start with ssh-rsa, else RouterOS won’t import it - RouterOS supports ed25519 keys since RouterOS 7.7, which is in beta at the time of writing this post.

You can generate a new keypair and save it to id_mikrotik and id_mikrotik.pub using

ssh-keygen -t rsa -b 8192 -f id_mikrotik