use named links for each ident

2025-09-01 13:47:05 -04:00 · 2025-09-01 13:47:05 -04:00 · 1de61a888d
commit 1de61a888d
parent 4b1cfd0c50
15 changed files with 154 additions and 123 deletions
--- a/_ref/KEY_GUIDE.adoc
+++ b/_ref/KEY_GUIDE.adoc
@ -21,17 +21,22 @@ To view a copy of this license, visit
 http://creativecommons.org/licenses/by-sa/4.0/.
 ////

+[id="why"]
 == Purpose
 This document attempts to present a much more detailed, thorough, and easily-understood form of the key formats used by OpenSSH. The extent of those formats' canonical documentation is https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key[the OpenSSH source tree's `PROTOCOL.key`^], which is a little lacking.

+[id="intro"]
 == Basic Introduction
-=== Legacy
-==== Private Keys

+[id="intro_legc"]
+=== Legacy
+
+[id="intro_legc_priv"]
+==== Private Keys
 In OpenSSH pre-7.8, private keys are stored in their respective PEM encodingfootnote:[https://datatracker.ietf.org/doc/html/rfc7468] with no modification. These legacy private keys should be entirely usable by OpenSSL/LibreSSL/GnuTLS etc. natively with no conversion necessary.

+[id="intro_legc_pub"]
 ==== Public Keys
-
 Each public key *file* (`*.pub`) is written out in the following format:

    A B C
@ -44,13 +49,14 @@ C:: The key's comment

 The structures specified in the breakdowns later in this document describe the _decoded_ version of *B* *_only_*. They are specific to each keytype and format version starting with item `2.0`.

-
+[id="intro_v1"]
 === New "v1" Format
-==== Private Keys

+[id="intro_v1_priv"]
+==== Private Keys
 Private key structures have been retooled in the "v1" format. In recent OpenSSH versions, all new keys use the v1 format. They no longer are in straight PEM-compatible format.

-Refer to https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key[`PROTOCOL.key`^] for a (very) general description, or each key's specific breakdown for more detailed information.
+Refer to https://anongit.mindrot.org/openssh.git/tree/PROTOCOL.key[`PROTOCOL.key`^] (https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key[GitHub mirror^]) for a (very) general description, or each key type's specific breakdown in this document for more detailed information.

 The v1 format offers several benefits over the legacy format, including:

@ -59,16 +65,18 @@ The v1 format offers several benefits over the legacy format, including:
 * embedded public key (no need to derive from the private key)
 * "checksumming" to confirm proper decryption for encrypted keys

+[id="intro_v1_pub"]
 ==== Public Keys
+All public keys in v1 continue to use the same packed binary format as <<intro_legc_pub, the legacy format>>.

-All public keys in v1 continue to use the same packed binary format as <<public_keys, the legacy format>>.
-
+[id="bkdn"]
 == Keytype-Specific Breakdowns

 include::rsa/main.adoc[]

 include::ed25519/main.adoc[]

+[id="moar"]
 == Further Information

 ++++
--- a/_ref/KEY_GUIDE.html
+++ b/_ref/KEY_GUIDE.html
@ -4,7 +4,7 @@
 <meta charset="UTF-8">
 <meta http-equiv="X-UA-Compatible" content="IE=edge">
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
-<meta name="generator" content="Asciidoctor 2.0.20">
+<meta name="generator" content="Asciidoctor 2.0.23">
 <meta name="author" content="brent saner &lt;bts@square-r00t.net&gt;, https://r00t2.io">
 <title>OpenSSH Key Structure Guide</title>
 <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Open+Sans:300,300italic,400,400italic,600,600italic%7CNoto+Serif:400,400italic,700,700italic%7CDroid+Sans+Mono:400,700">
@ -141,7 +141,7 @@ p a>code:hover{color:rgba(0,0,0,.9)}
 #content::before{content:none}
 #header>h1:first-child{color:rgba(0,0,0,.85);margin-top:2.25rem;margin-bottom:0}
 #header>h1:first-child+#toc{margin-top:8px;border-top:1px solid #dddddf}
-#header>h1:only-child,body.toc2 #header>h1:nth-last-child(2){border-bottom:1px solid #dddddf;padding-bottom:8px}
+#header>h1:only-child{border-bottom:1px solid #dddddf;padding-bottom:8px}
 #header .details{border-bottom:1px solid #dddddf;line-height:1.45;padding-top:.25em;padding-bottom:.25em;padding-left:.25em;color:rgba(0,0,0,.6);display:flex;flex-flow:row wrap}
 #header .details span:first-child{margin-left:-.125em}
 #header .details span.email a{color:rgba(0,0,0,.85)}
@ -163,6 +163,7 @@ p a>code:hover{color:rgba(0,0,0,.9)}
 #toctitle{color:#7a2518;font-size:1.2em}
@media screen and (min-width:768px){#toctitle{font-size:1.375em}
 body.toc2{padding-left:15em;padding-right:0}
+body.toc2 #header>h1:nth-last-child(2){border-bottom:1px solid #dddddf;padding-bottom:8px}
 #toc.toc2{margin-top:0!important;background:#f8f8f7;position:fixed;width:15em;left:0;top:0;border-right:1px solid #e7e7e9;border-top-width:0!important;border-bottom-width:0!important;z-index:1000;padding:1.25em 1em;height:100%;overflow:auto}
 #toc.toc2 #toctitle{margin-top:0;margin-bottom:.8rem;font-size:1.2em}
 #toc.toc2>ul{font-size:.9em;margin-bottom:0}
@ -328,7 +329,7 @@ a.image{text-decoration:none;display:inline-block}
 a.image object{pointer-events:none}
 sup.footnote,sup.footnoteref{font-size:.875em;position:static;vertical-align:super}
 sup.footnote a,sup.footnoteref a{text-decoration:none}
-sup.footnote a:active,sup.footnoteref a:active{text-decoration:underline}
+sup.footnote a:active,sup.footnoteref a:active,#footnotes .footnote a:first-of-type:active{text-decoration:underline}
 #footnotes{padding-top:.75em;padding-bottom:.75em;margin-bottom:.625em}
 #footnotes hr{width:20%;min-width:6.25em;margin:-.25em 0 .75em;border-width:1px 0 0}
 #footnotes .footnote{padding:0 .375em 0 .225em;line-height:1.3334;font-size:.875em;margin-left:1.2em;margin-bottom:.2em}
@ -475,6 +476,10 @@ pre.rouge .gi {
  color: #116329;
  background-color: #dafbe1;
 }
+pre.rouge .ges {
+  font-weight: bold;
+  font-style: italic;
+}
 pre.rouge .kc {
  color: #0550ae;
 }
@ -630,89 +635,89 @@ pre.rouge .gs {
 <h1>OpenSSH Key Structure Guide</h1>
 <div class="details">
 <span id="author" class="author">brent saner &lt;bts@square-r00t.net&gt;, https://r00t2.io</span><br>
-<span id="revdate">Last updated 2023-09-04 01:40:40 -0400</span>
+<span id="revdate">Last updated 2025-09-01 13:47:06 -0400</span>
 </div>
 <div id="toc" class="toc2">
 <div id="toctitle">Table of Contents</div>
 <ul class="sectlevel1">
-<li><a href="#purpose">1. Purpose</a></li>
-<li><a href="#basic_introduction">2. Basic Introduction</a>
+<li><a href="#why">1. Purpose</a></li>
+<li><a href="#intro">2. Basic Introduction</a>
 <ul class="sectlevel2">
-<li><a href="#legacy">2.1. Legacy</a>
+<li><a href="#intro_legc">2.1. Legacy</a>
 <ul class="sectlevel3">
-<li><a href="#private_keys">2.1.1. Private Keys</a></li>
-<li><a href="#public_keys">2.1.2. Public Keys</a></li>
+<li><a href="#intro_legc_priv">2.1.1. Private Keys</a></li>
+<li><a href="#intro_legc_pub">2.1.2. Public Keys</a></li>
 </ul>
 </li>
-<li><a href="#new_v1_format">2.2. New "v1" Format</a>
+<li><a href="#intro_v1">2.2. New "v1" Format</a>
 <ul class="sectlevel3">
-<li><a href="#private_keys_2">2.2.1. Private Keys</a></li>
-<li><a href="#public_keys_2">2.2.2. Public Keys</a></li>
+<li><a href="#intro_v1_priv">2.2.1. Private Keys</a></li>
+<li><a href="#intro_v1_pub">2.2.2. Public Keys</a></li>
 </ul>
 </li>
 </ul>
 </li>
-<li><a href="#keytype_specific_breakdowns">3. Keytype-Specific Breakdowns</a>
+<li><a href="#bkdn">3. Keytype-Specific Breakdowns</a>
 <ul class="sectlevel2">
-<li><a href="#rsa">3.1. RSA</a>
+<li><a href="#bkdn_rsa">3.1. RSA</a>
 <ul class="sectlevel3">
-<li><a href="#public">3.1.1. Public</a>
+<li><a href="#bkdn_rsa_pub">3.1.1. Public</a>
 <ul class="sectlevel4">
-<li><a href="#structure">3.1.1.1. Structure</a></li>
-<li><a href="#example">3.1.1.2. Example</a></li>
+<li><a href="#bkdn_rsa_pub_struct">3.1.1.1. Structure</a></li>
+<li><a href="#bkdn_rsa_pub_ex">3.1.1.2. Example</a></li>
 </ul>
 </li>
-<li><a href="#private">3.1.2. Private</a>
+<li><a href="#bkdn_rsa_priv">3.1.2. Private</a>
 <ul class="sectlevel4">
-<li><a href="#legacy_plain">3.1.2.1. Legacy (Plain)</a>
+<li><a href="#bkdn_rsa_priv_legc_plain">3.1.2.1. Legacy (Plain)</a>
 <ul class="sectlevel5">
-<li><a href="#struct_rsa_plain_legacy">3.1.2.1.1. Structure</a></li>
-<li><a href="#bytes_rsa_plain_legacy">3.1.2.1.2. Example</a></li>
+<li><a href="#bkdn_rsa_priv_legc_plain_struct">3.1.2.1.1. Structure</a></li>
+<li><a href="#bkdn_rsa_priv_legc_plain_ex">3.1.2.1.2. Example</a></li>
 </ul>
 </li>
-<li><a href="#legacy_encrypted">3.1.2.2. Legacy (Encrypted)</a>
+<li><a href="#bkdn_rsa_priv_legc_crypt">3.1.2.2. Legacy (Encrypted)</a>
 <ul class="sectlevel5">
-<li><a href="#struct_rsa_crypt_legacy">3.1.2.2.1. Structure</a></li>
-<li><a href="#bytes_rsa_crypt_legacy">3.1.2.2.2. Example</a></li>
+<li><a href="#bkdn_rsa_priv_legc_crypt_struct">3.1.2.2.1. Structure</a></li>
+<li><a href="#bkdn_rsa_priv_legc_crypt_ex">3.1.2.2.2. Example</a></li>
 </ul>
 </li>
-<li><a href="#v1_plain">3.1.2.3. v1 (Plain)</a>
+<li><a href="#bkdn_rsa_priv_v1_plain">3.1.2.3. v1 (Plain)</a>
 <ul class="sectlevel5">
-<li><a href="#struct_rsa_plain">3.1.2.3.1. Structure</a></li>
-<li><a href="#bytes_rsa_plain">3.1.2.3.2. Example</a></li>
+<li><a href="#bkdn_rsa_priv_v1_plain_struct">3.1.2.3.1. Structure</a></li>
+<li><a href="#bkdn_rsa_priv_v1_plain_ex">3.1.2.3.2. Example</a></li>
 </ul>
 </li>
-<li><a href="#v1_encrypted">3.1.2.4. v1 (Encrypted)</a>
+<li><a href="#bkdn_rsa_priv_v1_crypt">3.1.2.4. v1 (Encrypted)</a>
 <ul class="sectlevel5">
-<li><a href="#struct_rsa_crypt">3.1.2.4.1. Structure</a></li>
-<li><a href="#bytes_rsa_crypt">3.1.2.4.2. Example</a></li>
+<li><a href="#bkdn_rsa_priv_v1_crypt_struct">3.1.2.4.1. Structure</a></li>
+<li><a href="#bkdn_rsa_priv_v1_crypt_ex">3.1.2.4.2. Example</a></li>
 </ul>
 </li>
 </ul>
 </li>
 </ul>
 </li>
-<li><a href="#ed25519">3.2. ED25519</a>
+<li><a href="#bkdn_ed25519">3.2. ED25519</a>
 <ul class="sectlevel3">
-<li><a href="#public_2">3.2.1. Public</a>
+<li><a href="#bkdn_ed25519_pub">3.2.1. Public</a>
 <ul class="sectlevel4">
-<li><a href="#structure_2">3.2.1.1. Structure</a></li>
-<li><a href="#example_2">3.2.1.2. Example</a></li>
+<li><a href="#bkdn_ed25519_pub_struct">3.2.1.1. Structure</a></li>
+<li><a href="#bkdn_ed25519_pub_ex">3.2.1.2. Example</a></li>
 </ul>
 </li>
-<li><a href="#private_2">3.2.2. Private</a>
+<li><a href="#bkdn_ed25519_priv">3.2.2. Private</a>
 <ul class="sectlevel4">
-<li><a href="#legacy_2">3.2.2.1. Legacy</a></li>
-<li><a href="#v1_plain_2">3.2.2.2. v1 (Plain)</a>
+<li><a href="#bkdn_ed25519_priv_legc">3.2.2.1. Legacy</a></li>
+<li><a href="#bkdn_ed25519_priv_v1_plain">3.2.2.2. v1 (Plain)</a>
 <ul class="sectlevel5">
-<li><a href="#struct_ed25519_plain">3.2.2.2.1. Structure</a></li>
-<li><a href="#bytes_ed25519_plain">3.2.2.2.2. Example</a></li>
+<li><a href="#bkdn_ed25519_priv_v1_plain_struct">3.2.2.2.1. Structure</a></li>
+<li><a href="#bkdn_ed25519_priv_v1_plain_ex">3.2.2.2.2. Example</a></li>
 </ul>
 </li>
-<li><a href="#v1_encrypted_2">3.2.2.3. v1 (Encrypted)</a>
+<li><a href="#bkdn_ed25519_priv_v1_crypt">3.2.2.3. v1 (Encrypted)</a>
 <ul class="sectlevel5">
-<li><a href="#struct_ed25519_crypt">3.2.2.3.1. Structure</a></li>
-<li><a href="#bytes_ed25519_crypt">3.2.2.3.2. Example</a></li>
+<li><a href="#bkdn_ed25519_priv_v1_crypt_struct">3.2.2.3.1. Structure</a></li>
+<li><a href="#bkdn_ed25519_priv_v1_crypt_ex">3.2.2.3.2. Example</a></li>
 </ul>
 </li>
 </ul>
@ -721,13 +726,13 @@ pre.rouge .gs {
 </li>
 </ul>
 </li>
-<li><a href="#further_information">4. Further Information</a></li>
+<li><a href="#moar">4. Further Information</a></li>
 </ul>
 </div>
 </div>
 <div id="content">
 <div class="sect1">
-<h2 id="purpose"><a class="link" href="#purpose">1. Purpose</a></h2>
+<h2 id="why"><a class="link" href="#why">1. Purpose</a></h2>
 <div class="sectionbody">
 <div class="paragraph">
 <p>This document attempts to present a much more detailed, thorough, and easily-understood form of the key formats used by OpenSSH. The extent of those formats' canonical documentation is <a href="https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key" target="_blank" rel="noopener">the OpenSSH source tree&#8217;s <code>PROTOCOL.key</code></a>, which is a little lacking.</p>
@ -735,18 +740,18 @@ pre.rouge .gs {
 </div>
 </div>
 <div class="sect1">
-<h2 id="basic_introduction"><a class="link" href="#basic_introduction">2. Basic Introduction</a></h2>
+<h2 id="intro"><a class="link" href="#intro">2. Basic Introduction</a></h2>
 <div class="sectionbody">
 <div class="sect2">
-<h3 id="legacy"><a class="link" href="#legacy">2.1. Legacy</a></h3>
+<h3 id="intro_legc"><a class="link" href="#intro_legc">2.1. Legacy</a></h3>
 <div class="sect3">
-<h4 id="private_keys"><a class="link" href="#private_keys">2.1.1. Private Keys</a></h4>
+<h4 id="intro_legc_priv"><a class="link" href="#intro_legc_priv">2.1.1. Private Keys</a></h4>
 <div class="paragraph">
 <p>In OpenSSH pre-7.8, private keys are stored in their respective PEM encoding<sup class="footnote">[<a id="_footnoteref_1" class="footnote" href="#_footnotedef_1" title="View footnote.">1</a>]</sup> with no modification. These legacy private keys should be entirely usable by OpenSSL/LibreSSL/GnuTLS etc. natively with no conversion necessary.</p>
 </div>
 </div>
 <div class="sect3">
-<h4 id="public_keys"><a class="link" href="#public_keys">2.1.2. Public Keys</a></h4>
+<h4 id="intro_legc_pub"><a class="link" href="#intro_legc_pub">2.1.2. Public Keys</a></h4>
 <div class="paragraph">
 <p>Each public key <strong>file</strong> (<code>*.pub</code>) is written out in the following format:</p>
 </div>
@ -780,14 +785,14 @@ pre.rouge .gs {
 </div>
 </div>
 <div class="sect2">
-<h3 id="new_v1_format"><a class="link" href="#new_v1_format">2.2. New "v1" Format</a></h3>
+<h3 id="intro_v1"><a class="link" href="#intro_v1">2.2. New "v1" Format</a></h3>
 <div class="sect3">
-<h4 id="private_keys_2"><a class="link" href="#private_keys_2">2.2.1. Private Keys</a></h4>
+<h4 id="intro_v1_priv"><a class="link" href="#intro_v1_priv">2.2.1. Private Keys</a></h4>
 <div class="paragraph">
 <p>Private key structures have been retooled in the "v1" format. In recent OpenSSH versions, all new keys use the v1 format. They no longer are in straight PEM-compatible format.</p>
 </div>
 <div class="paragraph">
-<p>Refer to <a href="https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key" target="_blank" rel="noopener"><code>PROTOCOL.key</code></a> for a (very) general description, or each key&#8217;s specific breakdown for more detailed information.</p>
+<p>Refer to <a href="https://anongit.mindrot.org/openssh.git/tree/PROTOCOL.key" target="_blank" rel="noopener"><code>PROTOCOL.key</code></a> (<a href="https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key" target="_blank" rel="noopener">GitHub mirror</a>) for a (very) general description, or each key type&#8217;s specific breakdown in this document for more detailed information.</p>
 </div>
 <div class="paragraph">
 <p>The v1 format offers several benefits over the legacy format, including:</p>
@ -810,19 +815,19 @@ pre.rouge .gs {
 </div>
 </div>
 <div class="sect3">
-<h4 id="public_keys_2"><a class="link" href="#public_keys_2">2.2.2. Public Keys</a></h4>
+<h4 id="intro_v1_pub"><a class="link" href="#intro_v1_pub">2.2.2. Public Keys</a></h4>
 <div class="paragraph">
-<p>All public keys in v1 continue to use the same packed binary format as <a href="#public_keys">the legacy format</a>.</p>
+<p>All public keys in v1 continue to use the same packed binary format as <a href="#intro_legc_pub">the legacy format</a>.</p>
 </div>
 </div>
 </div>
 </div>
 </div>
 <div class="sect1">
-<h2 id="keytype_specific_breakdowns"><a class="link" href="#keytype_specific_breakdowns">3. Keytype-Specific Breakdowns</a></h2>
+<h2 id="bkdn"><a class="link" href="#bkdn">3. Keytype-Specific Breakdowns</a></h2>
 <div class="sectionbody">
 <div class="sect2">
-<h3 id="rsa"><a class="link" href="#rsa">3.1. RSA</a></h3>
+<h3 id="bkdn_rsa"><a class="link" href="#bkdn_rsa">3.1. RSA</a></h3>
 <div class="paragraph">
 <p>RSA<sup class="footnote">[<a id="_footnoteref_3" class="footnote" href="#_footnotedef_3" title="View footnote.">3</a>]</sup> is a widely-supported PKI system. It is ubiquitous, but it is recommended to use newer systems (e.g. ED25519) for OpenSSH if all clients and destinations support it.</p>
 </div>
@ -833,9 +838,9 @@ pre.rouge .gs {
 <p>It is <strong>highly</strong> recommended to use 4096-bit RSA if using RSA keys.</p>
 </div>
 <div class="sect3">
-<h4 id="public"><a class="link" href="#public">3.1.1. Public</a></h4>
+<h4 id="bkdn_rsa_pub"><a class="link" href="#bkdn_rsa_pub">3.1.1. Public</a></h4>
 <div class="sect4">
-<h5 id="structure"><a class="link" href="#structure">3.1.1.1. Structure</a></h5>
+<h5 id="bkdn_rsa_pub_struct"><a class="link" href="#bkdn_rsa_pub_struct">3.1.1.1. Structure</a></h5>
 <div class="paragraph">
 <p>Public keys are stored in the following structure:</p>
 </div>
@ -859,7 +864,7 @@ pre.rouge .gs {
 </div>
 </div>
 <div class="sect4">
-<h5 id="example"><a class="link" href="#example">3.1.1.2. Example</a></h5>
+<h5 id="bkdn_rsa_pub_ex"><a class="link" href="#bkdn_rsa_pub_ex">3.1.1.2. Example</a></h5>
 <div class="listingblock">
 <div class="title"><code>.pub</code> format</div>
 <div class="content">
@ -921,17 +926,17 @@ pre.rouge .gs {
 </div>
 </div>
 <div class="sect3">
-<h4 id="private"><a class="link" href="#private">3.1.2. Private</a></h4>
+<h4 id="bkdn_rsa_priv"><a class="link" href="#bkdn_rsa_priv">3.1.2. Private</a></h4>
 <div class="sect4">
-<h5 id="legacy_plain"><a class="link" href="#legacy_plain">3.1.2.1. Legacy (Plain)</a></h5>
+<h5 id="bkdn_rsa_priv_legc_plain"><a class="link" href="#bkdn_rsa_priv_legc_plain">3.1.2.1. Legacy (Plain)</a></h5>
 <div class="sect5">
-<h6 id="struct_rsa_plain_legacy"><a class="link" href="#struct_rsa_plain_legacy">3.1.2.1.1. Structure</a></h6>
+<h6 id="bkdn_rsa_priv_legc_plain_struct"><a class="link" href="#bkdn_rsa_priv_legc_plain_struct">3.1.2.1.1. Structure</a></h6>
 <div class="paragraph">
 <p>Legacy private keys are encoded in standard RSA PEM format (<a href="https://datatracker.ietf.org/doc/html/rfc7468" target="_blank" rel="noopener">RFC 7468</a> § <a href="https://datatracker.ietf.org/doc/html/rfc7468#section-10" target="_blank" rel="noopener">10</a>, <a href="https://datatracker.ietf.org/doc/html/rfc3447#appendix-A" target="_blank" rel="noopener">APPENDIX-A</a>).</p>
 </div>
 </div>
 <div class="sect5">
-<h6 id="bytes_rsa_plain_legacy"><a class="link" href="#bytes_rsa_plain_legacy">3.1.2.1.2. Example</a></h6>
+<h6 id="bkdn_rsa_priv_legc_plain_ex"><a class="link" href="#bkdn_rsa_priv_legc_plain_ex">3.1.2.1.2. Example</a></h6>
 <div class="listingblock">
 <div class="content">
 <pre class="rouge highlight"><code data-lang="text"><table class="linenotable"><tbody><tr><td class="linenos gl"><pre class="lineno"> 1
@ -1042,9 +1047,9 @@ Zb7jkiz4m88ol7ezdWZyHhVMZqy4bWMCI4moTDcpqJuox6JTQiO2Ajj2pFU=
 </div>
 </div>
 <div class="sect4">
-<h5 id="legacy_encrypted"><a class="link" href="#legacy_encrypted">3.1.2.2. Legacy (Encrypted)</a></h5>
+<h5 id="bkdn_rsa_priv_legc_crypt"><a class="link" href="#bkdn_rsa_priv_legc_crypt">3.1.2.2. Legacy (Encrypted)</a></h5>
 <div class="sect5">
-<h6 id="struct_rsa_crypt_legacy"><a class="link" href="#struct_rsa_crypt_legacy">3.1.2.2.1. Structure</a></h6>
+<h6 id="bkdn_rsa_priv_legc_crypt_struct"><a class="link" href="#bkdn_rsa_priv_legc_crypt_struct">3.1.2.2.1. Structure</a></h6>
 <div class="paragraph">
 <p>Legacy private keys are encoded in standard RSA PEM format (<a href="https://datatracker.ietf.org/doc/html/rfc7468" target="_blank" rel="noopener">RFC 7468</a> § <a href="https://datatracker.ietf.org/doc/html/rfc7468#section-11" target="_blank" rel="noopener">11</a>, <a href="https://datatracker.ietf.org/doc/html/rfc3447#appendix-A" target="_blank" rel="noopener">APPENDIX-A</a>).</p>
 </div>
@ -1054,7 +1059,7 @@ The <code>DEK-Info</code> field is defined in <a href="https://datatracker.ietf.
 </div>
 </div>
 <div class="sect5">
-<h6 id="bytes_rsa_crypt_legacy"><a class="link" href="#bytes_rsa_crypt_legacy">3.1.2.2.2. Example</a></h6>
+<h6 id="bkdn_rsa_priv_legc_crypt_ex"><a class="link" href="#bkdn_rsa_priv_legc_crypt_ex">3.1.2.2.2. Example</a></h6>
 <div class="paragraph">
 <p>The following example, being encrypted, is protected with a passphrase. The passphrase used in this example key is <strong><code>testpassword</code></strong>.</p>
 </div>
@ -1175,12 +1180,12 @@ ftSfkGNUzTzPFbF5iEukTvKm42a7F/I/ExMVgpN/eQxJ7+m5TOgja0KC1h5fCN4L
 </div>
 </div>
 <div class="paragraph">
-<p>See the <a href="#bytes_rsa_plain_legacy">plaintext example</a> for the decrypted (non-password-protected) version of this key.</p>
+<p>See the <a href="#bkdn_rsa_priv_legc_plain_ex">plaintext example</a> for the decrypted (non-password-protected) version of this key.</p>
 </div>
 </div>
 </div>
 <div class="sect4">
-<h5 id="v1_plain"><a class="link" href="#v1_plain">3.1.2.3. v1 (Plain)</a></h5>
+<h5 id="bkdn_rsa_priv_v1_plain"><a class="link" href="#bkdn_rsa_priv_v1_plain">3.1.2.3. v1 (Plain)</a></h5>
 <div class="admonitionblock tip">
 <table>
 <tr>
@ -1196,7 +1201,7 @@ ftSfkGNUzTzPFbF5iEukTvKm42a7F/I/ExMVgpN/eQxJ7+m5TOgja0KC1h5fCN4L
 </table>
 </div>
 <div class="sect5">
-<h6 id="struct_rsa_plain"><a class="link" href="#struct_rsa_plain">3.1.2.3.1. Structure</a></h6>
+<h6 id="bkdn_rsa_priv_v1_plain_struct"><a class="link" href="#bkdn_rsa_priv_v1_plain_struct">3.1.2.3.1. Structure</a></h6>
 <div class="listingblock">
 <div class="content">
 <pre class="rouge highlight"><code data-lang="text"><table class="linenotable"><tbody><tr><td class="linenos gl"><pre class="lineno"> 1
@ -1278,7 +1283,7 @@ ftSfkGNUzTzPFbF5iEukTvKm42a7F/I/ExMVgpN/eQxJ7+m5TOgja0KC1h5fCN4L
 </td>
 <td class="content">
 <div class="paragraph">
-<p><strong>Chunk 3.0.0 to 3.0.1:</strong> These blocks are not present in unencrypted keys (see the <a href="#struct_rsa_crypt">encrypted key structure</a> for what these look like). <strong>3.0</strong> reflects this, as it&#8217;s always going to be <code>00000000</code> (0).</p>
+<p><strong>Chunk 3.0.0 to 3.0.1:</strong> These blocks are not present in unencrypted keys (see the <a href="#bkdn_rsa_priv_v1_crypt_struct">encrypted key structure</a> for what these look like). <strong>3.0</strong> reflects this, as it&#8217;s always going to be <code>00000000</code> (0).</p>
 </div>
 <div class="paragraph">
 <p><strong>Chunk 4.0:</strong> This is technically currently unused; upstream hardcodes to 1 (left zero-padded 0x01).</p>
@ -1295,7 +1300,7 @@ ftSfkGNUzTzPFbF5iEukTvKm42a7F/I/ExMVgpN/eQxJ7+m5TOgja0KC1h5fCN4L
 </div>
 </div>
 <div class="sect5">
-<h6 id="bytes_rsa_plain"><a class="link" href="#bytes_rsa_plain">3.1.2.3.2. Example</a></h6>
+<h6 id="bkdn_rsa_priv_v1_plain_ex"><a class="link" href="#bkdn_rsa_priv_v1_plain_ex">3.1.2.3.2. Example</a></h6>
 <div class="paragraph">
 <p>The following example, being encrypted, is protected with a passphrase. The passphrase used in this example key is <strong><code>test</code></strong>.</p>
 </div>
@ -1620,7 +1625,7 @@ hau1VzZBnp8AAAAYVGhpcyBpcyBhIGNvbW1lbnQgc3RyaW5nAQID
 </div>
 </div>
 <div class="sect4">
-<h5 id="v1_encrypted"><a class="link" href="#v1_encrypted">3.1.2.4. v1 (Encrypted)</a></h5>
+<h5 id="bkdn_rsa_priv_v1_crypt"><a class="link" href="#bkdn_rsa_priv_v1_crypt">3.1.2.4. v1 (Encrypted)</a></h5>
 <div class="admonitionblock tip">
 <table>
 <tr>
@ -1713,7 +1718,7 @@ Note that <strong>1.0.0</strong> has nothing to do with SSH connections themselv
 </table>
 </div>
 <div class="sect5">
-<h6 id="struct_rsa_crypt"><a class="link" href="#struct_rsa_crypt">3.1.2.4.1. Structure</a></h6>
+<h6 id="bkdn_rsa_priv_v1_crypt_struct"><a class="link" href="#bkdn_rsa_priv_v1_crypt_struct">3.1.2.4.1. Structure</a></h6>
 <div class="listingblock">
 <div class="content">
 <pre class="rouge highlight"><code data-lang="text"><table class="linenotable"><tbody><tr><td class="linenos gl"><pre class="lineno"> 1
@ -1770,7 +1775,7 @@ Note that <strong>1.0.0</strong> has nothing to do with SSH connections themselv
 <p><strong>Chunk 4.0:</strong> This is technically currently unused; upstream hardcodes to 1 (left zero-padded 0x01).</p>
 </div>
 <div class="paragraph">
-<p><strong>Chunk 4.0.1.0:</strong> When decrypted, this is equivalent to the <a href="#struct_rsa_plain">plaintext</a> <strong>4.0.1.0</strong> to <strong>4.0.1.10</strong>. It uses a padded size appropriate to the encryption cipher used.</p>
+<p><strong>Chunk 4.0.1.0:</strong> When decrypted, this is equivalent to the <a href="#bkdn_rsa_priv_v1_plain_struct">plaintext</a> <strong>4.0.1.0</strong> to <strong>4.0.1.10</strong>. It uses a padded size appropriate to the encryption cipher used.</p>
 </div>
 </td>
 </tr>
@ -1778,7 +1783,7 @@ Note that <strong>1.0.0</strong> has nothing to do with SSH connections themselv
 </div>
 </div>
 <div class="sect5">
-<h6 id="bytes_rsa_crypt"><a class="link" href="#bytes_rsa_crypt">3.1.2.4.2. Example</a></h6>
+<h6 id="bkdn_rsa_priv_v1_crypt_ex"><a class="link" href="#bkdn_rsa_priv_v1_crypt_ex">3.1.2.4.2. Example</a></h6>
 <div class="paragraph">
 <p>The following example, being encrypted, is protected with a passphrase. The passphrase used in this example key is <strong><code>test</code></strong>.</p>
 </div>
@ -2088,7 +2093,7 @@ ZnrXZl+8QIW1MSvaaQFmJFqTs=
 </td>
 <td class="content">
 <div class="paragraph">
-<p>The decrypted <strong>4.0.1.0</strong> should match the <a href="#struct_rsa_plain">plaintext key&#8217;s structure</a> for <strong>4.0.1.0</strong> through <strong>4.0.1.10</strong>. The padding length WILL change, however, between the two unless using a cipher with an 8-byte block size.</p>
+<p>The decrypted <strong>4.0.1.0</strong> should match the <a href="#bkdn_rsa_priv_v1_plain_ex">plaintext key&#8217;s structure</a> for <strong>4.0.1.0</strong> through <strong>4.0.1.10</strong>. The padding length WILL change, however, between the two unless using a cipher with an 8-byte block size.</p>
 </div>
 </td>
 </tr>
@ -2250,14 +2255,14 @@ ZnrXZl+8QIW1MSvaaQFmJFqTs=
 </div>
 </div>
 <div class="paragraph">
-<p>See the <a href="#struct_rsa_plain">plaintext structure</a> for details.</p>
+<p>See the <a href="#bkdn_rsa_priv_v1_plain_struct">plaintext structure</a> for details.</p>
 </div>
 </div>
 </div>
 </div>
 </div>
 <div class="sect2">
-<h3 id="ed25519"><a class="link" href="#ed25519">3.2. ED25519</a></h3>
+<h3 id="bkdn_ed25519"><a class="link" href="#bkdn_ed25519">3.2. ED25519</a></h3>
 <div class="paragraph">
 <p>ED25519<sup class="footnote">[<a id="_footnoteref_4" class="footnote" href="#_footnotedef_4" title="View footnote.">4</a>]</sup> is a relatively somewhat new OpenSSH key algorithm. It has numerous benefits over e.g. RSA, including:</p>
 </div>
@ -2292,9 +2297,9 @@ ZnrXZl+8QIW1MSvaaQFmJFqTs=
 <p>I recommend it over all other key types for new SSH keys as long as it&#8217;s supported by clients/servers.</p>
 </div>
 <div class="sect3">
-<h4 id="public_2"><a class="link" href="#public_2">3.2.1. Public</a></h4>
+<h4 id="bkdn_ed25519_pub"><a class="link" href="#bkdn_ed25519_pub">3.2.1. Public</a></h4>
 <div class="sect4">
-<h5 id="structure_2"><a class="link" href="#structure_2">3.2.1.1. Structure</a></h5>
+<h5 id="bkdn_ed25519_pub_struct"><a class="link" href="#bkdn_ed25519_pub_struct">3.2.1.1. Structure</a></h5>
 <div class="paragraph">
 <p>Public keys are stored in the following structure:</p>
 </div>
@ -2314,7 +2319,7 @@ ZnrXZl+8QIW1MSvaaQFmJFqTs=
 </div>
 </div>
 <div class="sect4">
-<h5 id="example_2"><a class="link" href="#example_2">3.2.1.2. Example</a></h5>
+<h5 id="bkdn_ed25519_pub_ex"><a class="link" href="#bkdn_ed25519_pub_ex">3.2.1.2. Example</a></h5>
 <div class="listingblock">
 <div class="title"><code>id_ed25519.pub</code> Format</div>
 <div class="content">
@ -2340,9 +2345,9 @@ ZnrXZl+8QIW1MSvaaQFmJFqTs=
 </div>
 </div>
 <div class="sect3">
-<h4 id="private_2"><a class="link" href="#private_2">3.2.2. Private</a></h4>
+<h4 id="bkdn_ed25519_priv"><a class="link" href="#bkdn_ed25519_priv">3.2.2. Private</a></h4>
 <div class="sect4">
-<h5 id="legacy_2"><a class="link" href="#legacy_2">3.2.2.1. Legacy</a></h5>
+<h5 id="bkdn_ed25519_priv_legc"><a class="link" href="#bkdn_ed25519_priv_legc">3.2.2.1. Legacy</a></h5>
 <div class="admonitionblock note">
 <table>
 <tr>
@ -2359,7 +2364,7 @@ ZnrXZl+8QIW1MSvaaQFmJFqTs=
 </div>
 </div>
 <div class="sect4">
-<h5 id="v1_plain_2"><a class="link" href="#v1_plain_2">3.2.2.2. v1 (Plain)</a></h5>
+<h5 id="bkdn_ed25519_priv_v1_plain"><a class="link" href="#bkdn_ed25519_priv_v1_plain">3.2.2.2. v1 (Plain)</a></h5>
 <div class="admonitionblock tip">
 <table>
 <tr>
@ -2375,7 +2380,7 @@ ZnrXZl+8QIW1MSvaaQFmJFqTs=
 </table>
 </div>
 <div class="sect5">
-<h6 id="struct_ed25519_plain"><a class="link" href="#struct_ed25519_plain">3.2.2.2.1. Structure</a></h6>
+<h6 id="bkdn_ed25519_priv_v1_plain_struct"><a class="link" href="#bkdn_ed25519_priv_v1_plain_struct">3.2.2.2.1. Structure</a></h6>
 <div class="listingblock">
 <div class="content">
 <pre class="rouge highlight"><code data-lang="text"><table class="linenotable"><tbody><tr><td class="linenos gl"><pre class="lineno"> 1
@ -2437,7 +2442,7 @@ ZnrXZl+8QIW1MSvaaQFmJFqTs=
 </td>
 <td class="content">
 <div class="paragraph">
-<p><strong>Chunk 3.0.0 to 3.0.1:</strong> These blocks are not present in unencrypted keys (see the <a href="#struct_ed25519_crypt">encrypted key structure</a> for what these look like). <strong>3.0</strong> reflects this, as it&#8217;s always going to be <code>00000000</code> (0).</p>
+<p><strong>Chunk 3.0.0 to 3.0.1:</strong> These blocks are not present in unencrypted keys (see the <a href="#bkdn_ed25519_priv_v1_crypt_struct">encrypted key structure</a> for what these look like). <strong>3.0</strong> reflects this, as it&#8217;s always going to be <code>00000000</code> (0).</p>
 </div>
 <div class="paragraph">
 <p><strong>Chunk 4.0:</strong> This is technically currently unused; upstream hardcodes to 1 (left zero-padded <code>0x01</code>).</p>
@ -2454,7 +2459,7 @@ ZnrXZl+8QIW1MSvaaQFmJFqTs=
 </div>
 </div>
 <div class="sect5">
-<h6 id="bytes_ed25519_plain"><a class="link" href="#bytes_ed25519_plain">3.2.2.2.2. Example</a></h6>
+<h6 id="bkdn_ed25519_priv_v1_plain_ex"><a class="link" href="#bkdn_ed25519_priv_v1_plain_ex">3.2.2.2.2. Example</a></h6>
 <div class="listingblock">
 <div class="title"><code>id_ed25519</code> Format</div>
 <div class="content">
@ -2542,7 +2547,7 @@ g7umsWLE6XzRH3PDnZewAAAAElRoaXMgaXMgYSB0ZXN0IGtleQECAw==
 </div>
 </div>
 <div class="sect4">
-<h5 id="v1_encrypted_2"><a class="link" href="#v1_encrypted_2">3.2.2.3. v1 (Encrypted)</a></h5>
+<h5 id="bkdn_ed25519_priv_v1_crypt"><a class="link" href="#bkdn_ed25519_priv_v1_crypt">3.2.2.3. v1 (Encrypted)</a></h5>
 <div class="admonitionblock tip">
 <table>
 <tr>
@ -2635,7 +2640,7 @@ Note that <strong>1.0.0</strong> has nothing to do with SSH connections themselv
 </table>
 </div>
 <div class="sect5">
-<h6 id="struct_ed25519_crypt"><a class="link" href="#struct_ed25519_crypt">3.2.2.3.1. Structure</a></h6>
+<h6 id="bkdn_ed25519_priv_v1_crypt_struct"><a class="link" href="#bkdn_ed25519_priv_v1_crypt_struct">3.2.2.3.1. Structure</a></h6>
 <div class="listingblock">
 <div class="content">
 <pre class="rouge highlight"><code data-lang="text"><table class="linenotable"><tbody><tr><td class="linenos gl"><pre class="lineno"> 1
@ -2686,7 +2691,7 @@ Note that <strong>1.0.0</strong> has nothing to do with SSH connections themselv
 <p><strong>Chunk 4.0:</strong> This is technically currently unused; upstream hardcodes to 1 (left zero-padded <code>0x01</code>).</p>
 </div>
 <div class="paragraph">
-<p><strong>Chunk 4.0.1.0:</strong> When decrypted, this is equivalent to the <a href="#struct_ed25519_plain">plaintext</a> <strong>4.0.1.0</strong> to <strong>4.0.1.6</strong>. It uses a padded size appropriate to the encryption cipher used.</p>
+<p><strong>Chunk 4.0.1.0:</strong> When decrypted, this is equivalent to the <a href="#bkdn_ed25519_priv_v1_plain_struct">plaintext</a> <strong>4.0.1.0</strong> to <strong>4.0.1.6</strong>. It uses a padded size appropriate to the encryption cipher used.</p>
 </div>
 </td>
 </tr>
@ -2694,7 +2699,7 @@ Note that <strong>1.0.0</strong> has nothing to do with SSH connections themselv
 </div>
 </div>
 <div class="sect5">
-<h6 id="bytes_ed25519_crypt"><a class="link" href="#bytes_ed25519_crypt">3.2.2.3.2. Example</a></h6>
+<h6 id="bkdn_ed25519_priv_v1_crypt_ex"><a class="link" href="#bkdn_ed25519_priv_v1_crypt_ex">3.2.2.3.2. Example</a></h6>
 <div class="paragraph">
 <p>The following example, being encrypted, is protected with a passphrase. The passphrase used in this example key is <strong><code>test</code></strong>.</p>
 </div>
@ -2788,7 +2793,7 @@ dCXGDaRlL924VVCYUytRvu7ilZ+dtc9aCQUFJyDF3iXyxN2H68x7teo9e8vqzGtzLkw5KV
 </td>
 <td class="content">
 <div class="paragraph">
-<p>The decrypted <strong>4.0.1.0</strong> should match the <a href="#struct_ed25519_plain">plaintext key&#8217;s structure</a> for <strong>4.0.1</strong> through <strong>4.0.1.6</strong>. The padding length WILL change, however, between the two unless using a cipher with an 8-byte block size.</p>
+<p>The decrypted <strong>4.0.1.0</strong> should match the <a href="#bkdn_ed25519_priv_v1_plain_struct">plaintext key&#8217;s structure</a> for <strong>4.0.1</strong> through <strong>4.0.1.6</strong>. The padding length WILL change, however, between the two unless using a cipher with an 8-byte block size.</p>
 </div>
 </td>
 </tr>
@ -2834,7 +2839,7 @@ dCXGDaRlL924VVCYUytRvu7ilZ+dtc9aCQUFJyDF3iXyxN2H68x7teo9e8vqzGtzLkw5KV
 </div>
 </div>
 <div class="paragraph">
-<p>See the <a href="#struct_ed25519_plain">plaintext structure</a> for details.</p>
+<p>See the <a href="#bkdn_ed25519_priv_v1_plain_struct">plaintext structure</a> for details.</p>
 </div>
 </div>
 </div>
@ -2843,7 +2848,7 @@ dCXGDaRlL924VVCYUytRvu7ilZ+dtc9aCQUFJyDF3iXyxN2H68x7teo9e8vqzGtzLkw5KV
 </div>
 </div>
 <div class="sect1">
-<h2 id="further_information"><a class="link" href="#further_information">4. Further Information</a></h2>
+<h2 id="moar"><a class="link" href="#moar">4. Further Information</a></h2>
 <div class="sectionbody">
 <a rel="license" href="http://creativecommons.org/licenses/by-sa/4.0/">
 	<img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by-sa/4.0/88x31.png" />
@ -2873,7 +2878,7 @@ dCXGDaRlL924VVCYUytRvu7ilZ+dtc9aCQUFJyDF3iXyxN2H68x7teo9e8vqzGtzLkw5KV
 </div>
 <div id="footer">
 <div id="footer-text">
-Last updated 2023-09-04 01:31:56 -0400
+Last updated 2025-09-01 12:09:44 -0400
 </div>
 </div>
 </body>
--- a/_ref/ed25519/main.adoc
+++ b/_ref/ed25519/main.adoc
@ -4,6 +4,7 @@ To view a copy of this license, visit
 http://creativecommons.org/licenses/by-sa/4.0/.
 ////

+[id="bkdn_ed25519"]
 === ED25519

 ED25519footnote:[https://datatracker.ietf.org/doc/html/rfc8709] is a relatively somewhat new OpenSSH key algorithm. It has numerous benefits over e.g. RSA, including:
@ -17,4 +18,5 @@ ED25519footnote:[https://datatracker.ietf.org/doc/html/rfc8709] is a relatively
 I recommend it over all other key types for new SSH keys as long as it's supported by clients/servers.

 include::public.adoc[]
+
 include::private/main.adoc[]
--- a/_ref/ed25519/private/legacy/main.adoc
+++ b/_ref/ed25519/private/legacy/main.adoc
@ -4,6 +4,7 @@ To view a copy of this license, visit
 http://creativecommons.org/licenses/by-sa/4.0/.
 ////

+[id="bkdn_ed25519_priv_legc"]
 ===== Legacy

 [NOTE]
--- a/_ref/ed25519/private/main.adoc
+++ b/_ref/ed25519/private/main.adoc
@ -4,6 +4,7 @@ To view a copy of this license, visit
 http://creativecommons.org/licenses/by-sa/4.0/.
 ////

+[id="bkdn_ed25519_priv"]
 ==== Private

 include::legacy/main.adoc[]
--- a/_ref/ed25519/private/v1/encrypted.adoc
+++ b/_ref/ed25519/private/v1/encrypted.adoc
@ -4,6 +4,7 @@ To view a copy of this license, visit
 http://creativecommons.org/licenses/by-sa/4.0/.
 ////

+[id="bkdn_ed25519_priv_v1_crypt"]
 ===== v1 (Encrypted)

 [TIP]
@ -40,7 +41,7 @@ This is likely going to be:
 The author recommends using `aes256-ctr`. It is currently the upstream default.
 ====

-[id=struct_ed25519_crypt]
+[id="bkdn_ed25519_priv_v1_crypt_struct"]
 ====== Structure

 [source,text,linenums]
@ -68,10 +69,10 @@ The author recommends using `aes256-ctr`. It is currently the upstream default.
 ====
 *Chunk 4.0:* This is technically currently unused; upstream hardcodes to 1 (left zero-padded `0x01`).

-*Chunk 4.0.1.0:* When decrypted, this is equivalent to the <<struct_ed25519_plain, plaintext>> *4.0.1.0* to *4.0.1.6*. It uses a padded size appropriate to the encryption cipher used.
+*Chunk 4.0.1.0:* When decrypted, this is equivalent to the <<bkdn_ed25519_priv_v1_plain_struct, plaintext>> *4.0.1.0* to *4.0.1.6*. It uses a padded size appropriate to the encryption cipher used.
 ====

-[id=bytes_ed25519_crypt]
+[id="bkdn_ed25519_priv_v1_crypt_ex"]
 ====== Example

 The following example, being encrypted, is protected with a passphrase. The passphrase used in this example key is *`test`*.
@ -123,7 +124,7 @@ dCXGDaRlL924VVCYUytRvu7ilZ+dtc9aCQUFJyDF3iXyxN2H68x7teo9e8vqzGtzLkw5KV

 [NOTE]
 ====
-The decrypted *4.0.1.0* should match the <<struct_ed25519_plain, plaintext key's structure>> for *4.0.1* through *4.0.1.6*. The padding length WILL change, however, between the two unless using a cipher with an 8-byte block size.
+The decrypted *4.0.1.0* should match the <<bkdn_ed25519_priv_v1_plain_struct, plaintext key's structure>> for *4.0.1* through *4.0.1.6*. The padding length WILL change, however, between the two unless using a cipher with an 8-byte block size.
 ====

 When *4.0.1.0* is decrypted, it yields:
@ -148,4 +149,4 @@ When *4.0.1.0* is decrypted, it yields:
 4.0.1.6 0102030405060708090a0b ([1 2 3 4 5 6 7 8 9 10 11], 11 bytes)
 ----

-See the <<struct_ed25519_plain, plaintext structure>> for details.
+See the <<bkdn_ed25519_priv_v1_plain_struct, plaintext structure>> for details.
--- a/_ref/ed25519/private/v1/plain.adoc
+++ b/_ref/ed25519/private/v1/plain.adoc
@ -4,6 +4,7 @@ To view a copy of this license, visit
 http://creativecommons.org/licenses/by-sa/4.0/.
 ////

+[id="bkdn_ed25519_priv_v1_plain"]
 ===== v1 (Plain)

 [TIP]
@ -11,7 +12,7 @@ http://creativecommons.org/licenses/by-sa/4.0/.
 Since plaintext/unencrypted keys do not have a cipher or KDF (as there's no encryption key or algorithm used), they use the string "none" to identify these (and entirely leave out the KDF options).
 ====

-[id=struct_ed25519_plain]
+[id="bkdn_ed25519_priv_v1_plain_struct"]
 ====== Structure

 [source,text,linenums]
@ -44,7 +45,7 @@ Since plaintext/unencrypted keys do not have a cipher or KDF (as there's no encr

 [NOTE]
 ====
-*Chunk 3.0.0 to 3.0.1:* These blocks are not present in unencrypted keys (see the <<struct_ed25519_crypt, encrypted key structure>> for what these look like). *3.0* reflects this, as it's always going to be `00000000` (0).
+*Chunk 3.0.0 to 3.0.1:* These blocks are not present in unencrypted keys (see the <<bkdn_ed25519_priv_v1_crypt_struct, encrypted key structure>> for what these look like). *3.0* reflects this, as it's always going to be `00000000` (0).

 *Chunk 4.0:* This is technically currently unused; upstream hardcodes to 1 (left zero-padded `0x01`).

@ -53,7 +54,7 @@ Since plaintext/unencrypted keys do not have a cipher or KDF (as there's no encr
 *Chunk 4.0.1.6:* The padding used aligns the private key (*4.0.1.0* to *4.0.1.5.0*) to the cipher blocksize. For plaintext keys, a blocksize of 8 is used.
 ====

-[id=bytes_ed25519_plain]
+[id="bkdn_ed25519_priv_v1_plain_ex"]
 ====== Example

 .`id_ed25519` Format
--- a/_ref/ed25519/public.adoc
+++ b/_ref/ed25519/public.adoc
@ -4,8 +4,10 @@ To view a copy of this license, visit
 http://creativecommons.org/licenses/by-sa/4.0/.
 ////

+[id="bkdn_ed25519_pub"]
 ==== Public

+[id="bkdn_ed25519_pub_struct"]
 ===== Structure

 Public keys are stored in the following structure:
@ -19,6 +21,7 @@ Public keys are stored in the following structure:
    1.0.0 Public key payload (bytes)
 ----

+[id="bkdn_ed25519_pub_ex"]
 ===== Example

 .`id_ed25519.pub` Format
--- a/_ref/rsa/main.adoc
+++ b/_ref/rsa/main.adoc
@ -4,6 +4,7 @@ To view a copy of this license, visit
 http://creativecommons.org/licenses/by-sa/4.0/.
 ////

+[id="bkdn_rsa"]
 === RSA

 RSAfootnote:[https://datatracker.ietf.org/doc/html/rfc8017] is a widely-supported PKI system. It is ubiquitous, but it is recommended to use newer systems (e.g. ED25519) for OpenSSH if all clients and destinations support it.
--- a/_ref/rsa/private/legacy/encrypted.adoc
+++ b/_ref/rsa/private/legacy/encrypted.adoc
@ -4,9 +4,10 @@ To view a copy of this license, visit
 http://creativecommons.org/licenses/by-sa/4.0/.
 ////

+[id="bkdn_rsa_priv_legc_crypt"]
 ===== Legacy (Encrypted)

-[id=struct_rsa_crypt_legacy]
+[id="bkdn_rsa_priv_legc_crypt_struct"]
 ====== Structure

 Legacy private keys are encoded in standard RSA PEM format (https://datatracker.ietf.org/doc/html/rfc7468[RFC 7468^] § https://datatracker.ietf.org/doc/html/rfc7468#section-11[11^], https://datatracker.ietf.org/doc/html/rfc3447#appendix-A[APPENDIX-A^]).
@ -14,7 +15,7 @@ Legacy private keys are encoded in standard RSA PEM format (https://datatracker.
 The `Proc-Type` field is defined in https://datatracker.ietf.org/doc/html/rfc1421.html#section-4.6.1.1[RFC 1421 § 4.6.1.1^]. +
 The `DEK-Info` field is defined in https://datatracker.ietf.org/doc/html/rfc1421.html#section-4.6.1.3[RFC 1421 § 4.6.1.3^].

-[id=bytes_rsa_crypt_legacy]
+[id="bkdn_rsa_priv_legc_crypt_ex"]
 ====== Example

 The following example, being encrypted, is protected with a passphrase. The passphrase used in this example key is *`testpassword`*.
@ -79,4 +80,4 @@ ftSfkGNUzTzPFbF5iEukTvKm42a7F/I/ExMVgpN/eQxJ7+m5TOgja0KC1h5fCN4L
 -----END RSA PRIVATE KEY-----
 ----

-See the <<bytes_rsa_plain_legacy, plaintext example>> for the decrypted (non-password-protected) version of this key.
+See the <<bkdn_rsa_priv_legc_plain_ex, plaintext example>> for the decrypted (non-password-protected) version of this key.
--- a/_ref/rsa/private/legacy/plain.adoc
+++ b/_ref/rsa/private/legacy/plain.adoc
@ -4,14 +4,15 @@ To view a copy of this license, visit
 http://creativecommons.org/licenses/by-sa/4.0/.
 ////

+[id="bkdn_rsa_priv_legc_plain"]
 ===== Legacy (Plain)

-[id=struct_rsa_plain_legacy]
+[id="bkdn_rsa_priv_legc_plain_struct"]
 ====== Structure

 Legacy private keys are encoded in standard RSA PEM format (https://datatracker.ietf.org/doc/html/rfc7468[RFC 7468^] § https://datatracker.ietf.org/doc/html/rfc7468#section-10[10^], https://datatracker.ietf.org/doc/html/rfc3447#appendix-A[APPENDIX-A^]).

-[id=bytes_rsa_plain_legacy]
+[id="bkdn_rsa_priv_legc_plain_ex"]
 ====== Example

 [source,text,linenums]
--- a/_ref/rsa/private/main.adoc
+++ b/_ref/rsa/private/main.adoc
@ -4,6 +4,7 @@ To view a copy of this license, visit
 http://creativecommons.org/licenses/by-sa/4.0/.
 ////

+[id="bkdn_rsa_priv"]
 ==== Private

 include::legacy/main.adoc[]
--- a/_ref/rsa/private/v1/encrypted.adoc
+++ b/_ref/rsa/private/v1/encrypted.adoc
@ -4,6 +4,7 @@ To view a copy of this license, visit
 http://creativecommons.org/licenses/by-sa/4.0/.
 ////

+[id="bkdn_rsa_priv_v1_crypt"]
 ===== v1 (Encrypted)

 [TIP]
@ -40,7 +41,7 @@ This is likely going to be:
 The author recommends using `aes256-ctr`. It is currently the upstream default.
 ====

-[id=struct_rsa_crypt]
+[id="bkdn_rsa_priv_v1_crypt_struct"]
 ====== Structure

 [source,text,linenums]
@ -71,10 +72,10 @@ The author recommends using `aes256-ctr`. It is currently the upstream default.
 ====
 *Chunk 4.0:* This is technically currently unused; upstream hardcodes to 1 (left zero-padded 0x01).

-*Chunk 4.0.1.0:* When decrypted, this is equivalent to the <<struct_rsa_plain,plaintext>> *4.0.1.0* to *4.0.1.10*. It uses a padded size appropriate to the encryption cipher used.
+*Chunk 4.0.1.0:* When decrypted, this is equivalent to the <<bkdn_rsa_priv_v1_plain_struct, plaintext>> *4.0.1.0* to *4.0.1.10*. It uses a padded size appropriate to the encryption cipher used.
 ====

-[id=bytes_rsa_crypt]
+[id="bkdn_rsa_priv_v1_crypt_ex"]
 ====== Example

 The following example, being encrypted, is protected with a passphrase. The passphrase used in this example key is *`test`*.
@ -234,7 +235,7 @@ ZnrXZl+8QIW1MSvaaQFmJFqTs=

 [NOTE]
 ====
-The decrypted *4.0.1.0* should match the <<struct_rsa_plain, plaintext key's structure>> for *4.0.1.0* through *4.0.1.10*. The padding length WILL change, however, between the two unless using a cipher with an 8-byte block size.
+The decrypted *4.0.1.0* should match the <<bkdn_rsa_priv_v1_plain_ex, plaintext key's structure>> for *4.0.1.0* through *4.0.1.10*. The padding length WILL change, however, between the two unless using a cipher with an 8-byte block size.
 ====

 When *4.0.1.0* is decrypted, it yields:
@ -317,4 +318,4 @@ When *4.0.1.0* is decrypted, it yields:
 4.0.1.10 010203 ([1 2 3], 3 bytes)
 ----

-See the <<struct_rsa_plain, plaintext structure>> for details.
+See the <<bkdn_rsa_priv_v1_plain_struct, plaintext structure>> for details.
--- a/_ref/rsa/private/v1/plain.adoc
+++ b/_ref/rsa/private/v1/plain.adoc
@ -4,6 +4,7 @@ To view a copy of this license, visit
 http://creativecommons.org/licenses/by-sa/4.0/.
 ////

+[id="bkdn_rsa_priv_v1_plain"]
 ===== v1 (Plain)

 [TIP]
@ -11,7 +12,7 @@ http://creativecommons.org/licenses/by-sa/4.0/.
 Since plaintext/unencrypted keys do not have a cipher or KDF (as there's no encryption key or algorithm used), they use the string "none" to identify these (and entirely leave out the KDF options).
 ====

-[id=struct_rsa_plain]
+[id="bkdn_rsa_priv_v1_plain_struct"]
 ====== Structure

 [source,text,linenums]
@ -54,7 +55,7 @@ Since plaintext/unencrypted keys do not have a cipher or KDF (as there's no encr

 [NOTE]
 ====
-*Chunk 3.0.0 to 3.0.1:* These blocks are not present in unencrypted keys (see the <<struct_rsa_crypt, encrypted key structure>> for what these look like). *3.0* reflects this, as it's always going to be `00000000` (0).
+*Chunk 3.0.0 to 3.0.1:* These blocks are not present in unencrypted keys (see the <<bkdn_rsa_priv_v1_crypt_struct, encrypted key structure>> for what these look like). *3.0* reflects this, as it's always going to be `00000000` (0).

 *Chunk 4.0:* This is technically currently unused; upstream hardcodes to 1 (left zero-padded 0x01).

@ -63,7 +64,7 @@ Since plaintext/unencrypted keys do not have a cipher or KDF (as there's no encr
 *Chunk 4.0.1.10:* The padding used aligns the private key (*4.0.1.0* to *4.0.1.9.0*) to the cipher blocksize. For plaintext keys, a blocksize of 8 is used.
 ====

-[id=bytes_rsa_plain]
+[id="bkdn_rsa_priv_v1_plain_ex"]
 ====== Example

 The following example, being encrypted, is protected with a passphrase. The passphrase used in this example key is *`test`*.
--- a/_ref/rsa/public.adoc
+++ b/_ref/rsa/public.adoc
@ -4,8 +4,10 @@ To view a copy of this license, visit
 http://creativecommons.org/licenses/by-sa/4.0/.
 ////

+[id="bkdn_rsa_pub"]
 ==== Public

+[id="bkdn_rsa_pub_struct"]
 ===== Structure

 Public keys are stored in the following structure:
@ -21,6 +23,7 @@ Public keys are stored in the following structure:
    2.0 modulus ('n') (bytes)
 ----

+[id="bkdn_rsa_pub_ex"]
 ===== Example

 .`.pub` format