diff --git a/_ref/KEY_GUIDE.adoc b/_ref/KEY_GUIDE.adoc
index 045b57a..3c02664 100644
--- a/_ref/KEY_GUIDE.adoc
+++ b/_ref/KEY_GUIDE.adoc
@@ -13,6 +13,7 @@ Last updated {localdatetime}
 :idprefix:
 :toclevels: 7
 :source-highlighter: rouge
+:docinfo: shared
 
 == Purpose
 This document attempts to present a much more detailed, thorough, and easily-understood form of the key formats used by OpenSSH. The extent of those formats' canonical documentation is https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key[the OpenSSH source tree's `PROTOCOL.key`^], which is a little lacking.
@@ -35,14 +36,29 @@ A:: The key type (e.g. `ssh-rsa`, `ssh-ed25519`, etc.)
 B:: The public key itself, Base64footnote:[https://datatracker.ietf.org/doc/html/rfc4648]-encoded
 C:: The key's comment
 
-The structures specified in the breakdowns later in this document describe the _decoded_ version of *B* *_only_*.
+The structures specified in the breakdowns later in this document describe the _decoded_ version of *B* *_only_*. They are specific to each keytype and format version starting with item `2.0`.
 
 
 === New "v1" Format
 ==== Private Keys
+
+Private key structures have been retooled in the "v1" format. In recent OpenSSH versions, all new keys use the v1 format. They no longer are in straight PEM-compatible format.
+
+Refer to https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key[`PROTOCOL.key`^] for a (very) general description, or each key's specific breakdown for more detailed information.
+
+The v1 format offers several benefits over the legacy format, including:
+
+* customizable key derivation and encryption ciphers for encrypted private keys
+* embedded comments
+* embedded public key (no need to derive from the private key)
+* "checksumming" to confirm proper decryption for encrypted keys
+
 ==== Public Keys
 
+All public keys in v1 continue to use the same packed binary format as <<public_keys, the legacy format>>.
+
 == Keytype-Specific Breakdowns
+
 include::rsa/main.adoc[]
 
-=== ED25519
+include::ed25519/main.adoc[]
diff --git a/_ref/KEY_GUIDE.html b/_ref/KEY_GUIDE.html
index b427d5e..9334206 100644
--- a/_ref/KEY_GUIDE.html
+++ b/_ref/KEY_GUIDE.html
@@ -657,7 +657,7 @@ pre.rouge {
 <h1>OpenSSH Key Structure Guide</h1>
 <div class="details">
 <span id="author" class="author">brent saner &lt;bts@square-r00t.net&gt;, https://r00t2.io</span><br>
-<span id="revdate">Last updated 2022-03-06 04:09:26 -0500</span>
+<span id="revdate">Last updated 2022-03-07 02:34:27 -0500</span>
 </div>
 <div id="toc" class="toc2">
 <div id="toctitle">Table of Contents</div>
@@ -691,12 +691,61 @@ pre.rouge {
 </li>
 <li><a href="#private">3.1.2. Private</a>
 <ul class="sectlevel4">
-<li><a href="#legacy_2">3.1.2.1. Legacy</a></li>
+<li><a href="#legacy_plain">3.1.2.1. Legacy (Plain)</a>
+<ul class="sectlevel5">
+<li><a href="#struct_rsa_plain_legacy">3.1.2.1.1. Structure</a></li>
+<li><a href="#bytes_rsa_plain_legacy">3.1.2.1.2. Example</a></li>
+</ul>
+</li>
+<li><a href="#legacy_encrypted">3.1.2.2. Legacy (Encrypted)</a>
+<ul class="sectlevel5">
+<li><a href="#struct_rsa_crypt_legacy">3.1.2.2.1. Structure</a></li>
+<li><a href="#bytes_rsa_crypt_legacy">3.1.2.2.2. Example</a></li>
+</ul>
+</li>
+<li><a href="#v1_plain">3.1.2.3. v1 (Plain)</a>
+<ul class="sectlevel5">
+<li><a href="#struct_rsa_plain">3.1.2.3.1. Structure</a></li>
+<li><a href="#bytes_rsa_plain">3.1.2.3.2. Example</a></li>
+</ul>
+</li>
+<li><a href="#v1_encrypted">3.1.2.4. v1 (Encrypted)</a>
+<ul class="sectlevel5">
+<li><a href="#struct_rsa_crypt">3.1.2.4.1. Structure</a></li>
+<li><a href="#bytes_rsa_crypt">3.1.2.4.2. Example</a></li>
+</ul>
+</li>
+</ul>
+</li>
+</ul>
+</li>
+<li><a href="#ed25519">3.2. ED25519</a>
+<ul class="sectlevel3">
+<li><a href="#public_2">3.2.1. Public</a>
+<ul class="sectlevel4">
+<li><a href="#structure_2">3.2.1.1. Structure</a></li>
+<li><a href="#example_2">3.2.1.2. Example</a></li>
+</ul>
+</li>
+<li><a href="#private_2">3.2.2. Private</a>
+<ul class="sectlevel4">
+<li><a href="#legacy_2">3.2.2.1. Legacy</a></li>
+<li><a href="#v1_plain_2">3.2.2.2. v1 (Plain)</a>
+<ul class="sectlevel5">
+<li><a href="#struct_ed25519_plain">3.2.2.2.1. Structure</a></li>
+<li><a href="#bytes_ed25519_plain">3.2.2.2.2. Example</a></li>
+</ul>
+</li>
+<li><a href="#v1_encrypted_2">3.2.2.3. v1 (Encrypted)</a>
+<ul class="sectlevel5">
+<li><a href="#struct_ed25519_crypt">3.2.2.3.1. Structure</a></li>
+<li><a href="#bytes_ed25519_crypt">3.2.2.3.2. Example</a></li>
+</ul>
+</li>
 </ul>
 </li>
 </ul>
 </li>
-<li><a href="#ed25519">3.2. ED25519</a></li>
 </ul>
 </li>
 </ul>
@@ -752,7 +801,7 @@ pre.rouge {
 </dl>
 </div>
 <div class="paragraph">
-<p>The structures specified in the breakdowns later in this document describe the <em>decoded</em> version of <strong>B</strong> <strong><em>only</em></strong>.</p>
+<p>The structures specified in the breakdowns later in this document describe the <em>decoded</em> version of <strong>B</strong> <strong><em>only</em></strong>. They are specific to each keytype and format version starting with item <code>2.0</code>.</p>
 </div>
 </div>
 </div>
@@ -760,11 +809,37 @@ pre.rouge {
 <h3 id="new_v1_format"><a class="link" href="#new_v1_format">2.2. New "v1" Format</a></h3>
 <div class="sect3">
 <h4 id="private_keys_2"><a class="link" href="#private_keys_2">2.2.1. Private Keys</a></h4>
-
+<div class="paragraph">
+<p>Private key structures have been retooled in the "v1" format. In recent OpenSSH versions, all new keys use the v1 format. They no longer are in straight PEM-compatible format.</p>
+</div>
+<div class="paragraph">
+<p>Refer to <a href="https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key" target="_blank" rel="noopener"><code>PROTOCOL.key</code></a> for a (very) general description, or each key&#8217;s specific breakdown for more detailed information.</p>
+</div>
+<div class="paragraph">
+<p>The v1 format offers several benefits over the legacy format, including:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>customizable key derivation and encryption ciphers for encrypted private keys</p>
+</li>
+<li>
+<p>embedded comments</p>
+</li>
+<li>
+<p>embedded public key (no need to derive from the private key)</p>
+</li>
+<li>
+<p>"checksumming" to confirm proper decryption for encrypted keys</p>
+</li>
+</ul>
+</div>
 </div>
 <div class="sect3">
 <h4 id="public_keys_2"><a class="link" href="#public_keys_2">2.2.2. Public Keys</a></h4>
-
+<div class="paragraph">
+<p>All public keys in v1 continue to use the same packed binary format as <a href="#public_keys">the legacy format</a>.</p>
+</div>
 </div>
 </div>
 </div>
@@ -778,7 +853,10 @@ pre.rouge {
 <p>RSA<sup class="footnote">[<a id="_footnoteref_3" class="footnote" href="#_footnotedef_3" title="View footnote.">3</a>]</sup> is a widely-supported PKI system. It is ubiquitous, but it is recommended to use newer systems (e.g. ED25519) for OpenSSH if all clients and destinations support it.</p>
 </div>
 <div class="paragraph">
-<p>The key structures have references to the RSA notations in single quotes. You can find these enumerated in <a href="https://datatracker.ietf.org/doc/html/rfc8017#section-2">RFC 8017 § 2</a>. See also the <a href="https://en.wikipedia.org/wiki/RSA_(cryptosystem)#Key_generation" target="_blank" rel="noopener">Wikipedia article</a>.</p>
+<p>The key structures have references to the RSA notations in single quotes. You can find these enumerated in <a href="https://datatracker.ietf.org/doc/html/rfc8017#section-2">RFC 8017 § 2</a> or <a href="https://datatracker.ietf.org/doc/html/rfc8017#section-3.2" target="_blank" rel="noopener">RFC 8017 § 3.2</a>. See also the <a href="https://en.wikipedia.org/wiki/RSA_(cryptosystem)#Key_generation" target="_blank" rel="noopener">Wikipedia article</a>.</p>
+</div>
+<div class="paragraph">
+<p>It is <strong>highly</strong> recommended to use 4096-bit RSA if using RSA keys.</p>
 </div>
 <div class="sect3">
 <h4 id="public"><a class="link" href="#public">3.1.1. Public</a></h4>
@@ -797,11 +875,11 @@ pre.rouge {
 5
 6
 </pre></td><td class="code"><pre>0 uint32 allocator for 0.0 (4 bytes)
-    0.0 Public key type string (ASCII bytes; length defined above)
+    0.0 Public key type string (ASCII bytes)
 1 uint32 allocator for 1.0 (4 bytes)
-    1.0 Public exponent ('e')
+    1.0 Public exponent ('e') (hex numeric)
 2 uint32 allocator for 2.0 (4 bytes)
-    2.0 modulus ('n')
+    2.0 modulus ('n') (bytes)
 </pre></td></tr></tbody></table></code></pre>
 </div>
 </div>
@@ -871,20 +949,1922 @@ pre.rouge {
 <div class="sect3">
 <h4 id="private"><a class="link" href="#private">3.1.2. Private</a></h4>
 <div class="sect4">
-<h5 id="legacy_2"><a class="link" href="#legacy_2">3.1.2.1. Legacy</a></h5>
+<h5 id="legacy_plain"><a class="link" href="#legacy_plain">3.1.2.1. Legacy (Plain)</a></h5>
+<div class="sect5">
+<h6 id="struct_rsa_plain_legacy"><a class="link" href="#struct_rsa_plain_legacy">3.1.2.1.1. Structure</a></h6>
 <div class="paragraph">
-<p>TODO</p>
+<p>Legacy private keys are encoded in standard RSA PEM format (<a href="https://datatracker.ietf.org/doc/html/rfc7468" target="_blank" rel="noopener">RFC 7468</a> § <a href="https://datatracker.ietf.org/doc/html/rfc7468#section-10" target="_blank" rel="noopener">10</a>, <a href="https://datatracker.ietf.org/doc/html/rfc3447#appendix-A" target="_blank" rel="noopener">APPENDIX-A</a>).</p>
+</div>
+</div>
+<div class="sect5">
+<h6 id="bytes_rsa_plain_legacy"><a class="link" href="#bytes_rsa_plain_legacy">3.1.2.1.2. Example</a></h6>
+<div class="listingblock">
+<div class="content">
+<pre class="rouge highlight"><code data-lang="text"><table class="linenotable"><tbody><tr><td class="linenos gl"><pre class="lineno"> 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
+24
+25
+26
+27
+28
+29
+30
+31
+32
+33
+34
+35
+36
+37
+38
+39
+40
+41
+42
+43
+44
+45
+46
+47
+48
+49
+50
+51
+</pre></td><td class="code"><pre>-----BEGIN RSA PRIVATE KEY-----
+MIIJKAIBAAKCAgEA0cey1didD//oq66foKO2IUqFAl0+EF9nMiDfu4LTM4SSoajP
+Q02jewKP/GW9M7eFcDNf3UC5BUNkWym7uNzT6JlkKREZpe6AFsl4hNIfN+uoZSXA
+5vUsqCW29+6lNALMwAHS835cMZPg2IIPQW21nudsMUH0+U4npwfc5jRButoxYnOT
+LwbpTsDE8L1SXQdNojdfBQ/Ftk+mMr2E+boFv38lQMksfvY9nNhp5JKklyrmQtGv
+2M1ChJXHKMCkspKpuIvM6ORIp5FMLmLpe1HR5HpxVFKGjCQaRhtwRnUrY69LhyEc
+XtTt2O6OuiwFZbMcOTVSkGJUZ3qDKvRT9V4LA1WAvIKIqwkwNPoGdv8lVBgNL17c
+32GTtb3eGg3zYl9pJu1bsofnm8KGrKGYG0qBWjSdKcpGLRvbPj3d0m0YPk1smCid
+XnGCyzrG3gpMy0DS5SAyUl585rmfx/HJFtfSbhQTOR3lT1AMYRNNDej+pWX9ZAQC
+82mnIdRLIXQL60BPLX/xRjHWva+0s3arfNhB1F0gxJWdMwCU7Fsd7M0m4bL519pt
+t+fwnGgoEjOGDaiPzfARfi/IZ90npNmAS9WoDt94/uQdbGWXA9naww41z2IcuY5V
+uPqeJkyqflA49GnYyiJz273fh3EnDqdudBTqAMZnUsRW/nJoNi64GldfXv0CAwEA
+AQKCAgAldEcswRkBw0oSZQIhFzmsZfarfmRXXgE5xP7NJsV4nEHl1RL0TEdU7hcx
+FCUct7Z+Wt3Rzf16wBaJ5ECc9+hpzgFBB8mRg6yg5OW8qRtjy5JsRLpVQg7wEpPB
+Xn1mdN2Dpo+4Y6YoP+PUJBx/LQxRS7ZYcRNA88BGpTO+cjQOHWjV0BbGPbCoG+jN
+pq+u5l/pB4PSjodZTo043/d+8sSV9Sh8ka59GI/VkhoN8lSqnMExyuhfh/5JV8iQ
+MRz2uRLOXT9/kUqbiGiWm5heKTSVW3sid/2HxeZfAAUiv0a47JJKlRHQqKmyop0f
+Bj8Mclcmq6uLFdNGCmyi3a6jz1+drKPovO8H9ZTKx7sujxbR1lIC1BPfzFQ1LzjT
+A+n1Yp0gR9LA83TnzysGiYpl2MJYijbB8FPbXdJOMBNO63Jrr0DrF0VdI6Vf9GbA
+HAmz+IbPD+ZTZNktzpv1MmTE+4W/7E/i22KwpJy+/6RYpkDCu3vTKS4L46BQsN4W
+Gm2EL+kdzzmyCog3Vi6b0JRNd0dlKdZQKBanGtm4m3vx6PGhQFt0OZYu/QxDlLuK
+YhlKDIpBdZTTL/PIk4xx89X826fm2DT3ZSK652YCiU35nO1VqU+hKl4gA1dhp4DN
+/wg4LGFtwVhcwr1NyAC+nsFVTYU9Wszl+qpMOK/kKy7WH1K8rQKCAQEA/wXLJPeL
+e3QG0E7TlMmOxq2yUFhu7WMybmhW5z3su9jHNxZ2qEP7Vzer4LiQNmnJiNKFQ8El
+fjywSHINW1+OJXs3M6W3vQLw03XfYt69X2kC9uhooo0/xj8++YhVL4pmI9K7uI0Y
+IkFI2I9rsV6rb7tiKdeFW9NK9AoGp5StSwrVWvgPLwWl4ipVvZhDcRK2VsD8DqNU
+5QwX5l+wnFlR77XIi7c73UwbEictp7ZGwpDDVT7EBJRhruaybRoIGKHX4etJXPGz
+J2L/YQII4H44e7L00qTvfpxNHcdaqqIdZ/Rn3hKqoQBa1lZJf3WjDq70lq26aJwC
+h34COSjbwKM/HwKCAQEA0pWEU54DE4ybznDxUZsLgD1xPYpqMTKO6yAJijwMobFv
+Py9nc25vK0u6RT1It7eIse7TilpUZPB9PDV3sL+kgH5mW1OpvvfMtmncAM68KM7R
+XXBCcpCp0ke1DBNZtNLXFR8OSoJ2Vd2+XbeF7+uRHW4UCHtZttWPke8rokVCFXGN
+JgM6ubF7QPNcZ/gSclhZORP5e4QR1tFppA3dN/ehLaU7Md45oqYRE9y5oONEdnQA
+9b5t1vMqL3TgIHuD6m1nlITmmWSQIWm7BObAz1WmBpyluz8kVeLj8yu+My6VnxNl
+0P1yEVck9mMlNqzgA6i0ilcPMJoU0M+2Fzr72yFKYwKCAQAPro2FYmuDVektWguM
+tLBA62Fxq1523oi1XVkqsxYhnvzxGEKHqlaEUHoTQYYssmigL0HenrvtfVHhwpGr
+sr6M83y7gk9AIjQo7LCl5ciDW3PBNx1oEYOAb1cyBP4oBDyvqz+744E+agFOv9MB
+fy7Pmhg5NnWO5flP9GXgXDYjzTC9fU+BtrkypSPMmtZa16m6v/c/9y87Pnkhw3Sa
+yKtPMEB6xvO5cfqgLSSTkZPcVwaL8WYgWfd/x9Pk/ZrN2PXrgIpsWriHjYDiuDtP
+grN6d9CyO0423OmpER80Ku/f+pmAgGlZqSns0DWIzvUN7BhCQ8CYui81obwFQ8vv
+lppFAoIBAD5UbxRo4rQ4nC1glKz43VCZ3xi+DWx+cHr7wpcd6wc5A5qKJ26tM053
+Xaz81Lc8JcO00vxSfERcQlU95i10q/Y0c4t4mfeiVP9xGeNLTboubR3hCmnqk7lf
+7CCk4Zp6BZuE07AOKYSE28HVflljOlKhsGBKUmWhlJs3VYz0Pvkl4QdtUUaBV+AD
+qEhFzv/1UoNofCGpF7ajyUb7q4zTSOu/ymOaSSjxSoC8hl0up6b/8wDJ2q0S0Fu3
+lldG9+a9dzkolTC16UtahjaPLmawDTJLz2o66EBbpejl+6gek76/+RUAz3B+gLxE
+4FDsnmm216lS13YlRSABOv5pQP69Pc0CggEBAI8eT3npJUQX31Gej0KvN4h0Sq0t
+eYtLF5+uEoDr+DTD0MHv6Cta0QpBKzvOljDtxqNTu8oiNkkhch4daXMOD/qfdk9y
+C+befW1llA6ni6qNF5SlJWVZoyJgasAotzdK7bAIHmJ2BVc1NH5RWYipEWrcfwGA
+JSpC9D6V5wxP0GQa3hl0X7w/2pFNfv7jZ3VeYP91xbn01r4hUdyR2ryOBd817t/N
+aLB3RLkJazg7EKadnM5elAwFZ7PKWjnAyIYH6BoUbs3YonySFPpp9Z5SxidrRpb+
+Zb7jkiz4m88ol7ezdWZyHhVMZqy4bWMCI4moTDcpqJuox6JTQiO2Ajj2pFU=
+-----END RSA PRIVATE KEY-----
+</pre></td></tr></tbody></table></code></pre>
+</div>
+</div>
+</div>
+</div>
+<div class="sect4">
+<h5 id="legacy_encrypted"><a class="link" href="#legacy_encrypted">3.1.2.2. Legacy (Encrypted)</a></h5>
+<div class="sect5">
+<h6 id="struct_rsa_crypt_legacy"><a class="link" href="#struct_rsa_crypt_legacy">3.1.2.2.1. Structure</a></h6>
+<div class="paragraph">
+<p>Legacy private keys are encoded in standard RSA PEM format (<a href="https://datatracker.ietf.org/doc/html/rfc7468" target="_blank" rel="noopener">RFC 7468</a> § <a href="https://datatracker.ietf.org/doc/html/rfc7468#section-11" target="_blank" rel="noopener">11</a>, <a href="https://datatracker.ietf.org/doc/html/rfc3447#appendix-A" target="_blank" rel="noopener">APPENDIX-A</a>).</p>
 </div>
 <div class="paragraph">
-<p>TODO
-===== v1</p>
+<p>The <code>Proc-Type</code> field is defined in <a href="https://datatracker.ietf.org/doc/html/rfc1421.html#section-4.6.1.1" target="_blank" rel="noopener">RFC 1421 § 4.6.1.1</a>.<br>
+The <code>DEK-Info</code> field is defined in <a href="https://datatracker.ietf.org/doc/html/rfc1421.html#section-4.6.1.3" target="_blank" rel="noopener">RFC 1421 § 4.6.1.3</a>.</p>
+</div>
+</div>
+<div class="sect5">
+<h6 id="bytes_rsa_crypt_legacy"><a class="link" href="#bytes_rsa_crypt_legacy">3.1.2.2.2. Example</a></h6>
+<div class="paragraph">
+<p>The following example, being encrypted, is protected with a passphrase. The passphrase used in this example key is <strong><code>testpassword</code></strong>.</p>
+</div>
+<div class="paragraph">
+<p>As shown by the header&#8217;s fields, it is encrypted using <em>AES128-CBC</em> with the IV of <code>822FAE7B2F5921CBD9143EDE93B22DFA</code>.</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre class="rouge highlight"><code data-lang="text"><table class="linenotable"><tbody><tr><td class="linenos gl"><pre class="lineno"> 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
+24
+25
+26
+27
+28
+29
+30
+31
+32
+33
+34
+35
+36
+37
+38
+39
+40
+41
+42
+43
+44
+45
+46
+47
+48
+49
+50
+51
+52
+53
+54
+</pre></td><td class="code"><pre>-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,822FAE7B2F5921CBD9143EDE93B22DFA
+
+2vAiqYbBxVV+2LszZQ4ybpMIopqtL+mT6PZ/DNJWD9t7wUUynXS6fMBA45CRrsRI
+VTtb1m+ZBo80WaY7PvbYUuX7BS4lWoJ9VFRwtVVPgN4CBOP8ILgQFvywY+yKZW/j
+IB9m29XHN4GVxMZctsgUXfiff49juI4P0uVTRxwJ44HtqBFIYyRtQhhK4pcC7KlD
+J4X7Fl4J6KRWXBktmZGy6wTLXcfekMwUAbgPuvswhsovjXbTjh0eJVMQbqyFg4N/
+hKEkeOznyVuZbAFnNB5johN/HlpoifGcmNh169FsZzuwMuDUOg//JmH2HgwYLCpy
+JQgnsd6AqtlbZkTsoI4Mky0+a8A5y9iMl6Qw1AESt1ISb2k+iKtqXq0EkSzheB6a
+aMtcSp7iIP5SKoV81Hl0L9Mnr8Ni/4HDNKLxi7msixN2v69ctB/m45bL3PMErVcm
+7knY6Ps8jha/zGKVEQlEkCa7S/P5snb/MyMualc3PN/sAvWfcxLUi97pPU0HUZCX
+RS1HR2Fc+FqfMAX+B+Zfr/cmlTSirrPQr387CDospv6UyzGgf6O5ZmGTp47T91mc
+i/4GRHFUQ39nM9sD79fofk3Gdo/manhL1mFvti8Vy2jRXbwXuWhZNTy9J+gRkjR2
+X1NfRDaZlWfcDgUplqqZEbPFElRL8w00PTA4ZOWAt1a5jtQaNXh7JvnlC3oWDSW7
+RgAyAfvvUjigslfobMmMAbQt6gPcCHjnGMst11Xqcvw0c/+8sXVb5LOzAupOlb9B
+lhPvgAuhr0k5azseCD0Y1uyahh5rcIcaN08KaLI1t/nWUYwvSfGx1ej14q1F/Y+Q
+eDmS1695jWngX+FF1GdDzPRWYQhjeBl4V1dV+aTxLamWS8Oz4jk0pkzTwdl1yKDB
+I60t6uhFpummMbKIqvFtOkpqdLjGXZ8bSVbgHu7uPyycJ+PZCgpn/fYxqJNvIhsO
+x4QzKz1p6cFg0hxYKAcKqgIZUbmEu0MRr/VHDaR5K8AlSlVNz8ur62O4YEOslUFC
+Tv8d0LBd80OyrhpoJhK7fplVbFx2jkmVkLSjbwTPWz7HxLO3u/fQ1+higQHbAGqg
+75i4gpQVUDQE4KwPXjsjwhU1jrYyk2snnwmRa6yfYd61CI1lGJOycgm1tS90NNKA
+/sZmBG2u/t+UFDX+cBIkdA6B4CwRaPmvo27jv1Mk3u4N/zp+FR9IUxCnc8Z3Fo7F
+IKZAAEhtZniXG0t82aIXHdw7bQtH9eZsP/Il9ozaNW5Oky51AH/SCZT24vnOyc/U
+RQPP8g+59bjeriG/QAZ/Ezv6TilW06i/0xOo9i8ZyJdtPLuQ9q9ijNydCCqB/yE/
+Q/VTYQxHV1GBmpb89p//VpeqKmyTFISGK3r+nTHelVLgy8zDLWSSRkDQEu2n+7ou
+RwRli6ZrqsMBqhsBPcD/SzerRaq3AkstQ21C1fDpnBoXdRzx52wQcd3mKmspRLgc
+w/V2zaJqzjKaqfqNaT3xBTns0BGUBMCzaE+YtSHe2+NiHnxioU8H2wQz0CM2rjJE
+LBjfw4raTwrOSOufo7JqjMr5JrUeTy8Gqv1Wq8YrqmsPPrXmhhasxYrV/aqN96/m
+UZgWVjD0G3NOHDcQ+yPQrjodPEbokeLb1y+Hw8os53sirWwKkUnPKK1tpZtsmCjR
+wJTcaZVhGVdgWvxZnBGGvkDdxJBGisFc+IgnEWjgVxLiHkeXoyskgdB9zwYzNgJl
+B0NuxgGnLpcNpTz11tPAvpJYHIFTgW/cjMfGh47hfJxCAyEa4qdlwk6YbvUHDEml
+qzFMP70LbS18ck6SiP1ITVgxznT4CwuWXUdXTI1T1F9AY9u0Y5NPlB5SN7e/1Pq4
+1sf9NhUjgIVrxXoILUXDVreEcZj8B2zQOS4HcbQnQlUZuIbVKgot7UnHtTmALEu7
+YIYqKKr0GZCBpNi+qkBQd0RFsMNV6241X+BIwnHSIKBJ08PJ4O6H0RxK6KSshZV3
+bZGJcDrARHd/VbEmUE3pJbbesgwrOBvY9mh1iGHfYyoCabagdgEbXAqgAGKihvQ7
+l4J28BI4rbCU23U5BtBEGhHwhFC9tvkwx8/ImbzIwKqRXRN1fJys0ReYONWkOv7J
+OBU3kvjhKUivcbAG6guz6hwP9I+450dE2Q4V54LabeQSZ3rfBk+SCXR6w6aX5us9
+ydLVqtUxvhyqP5/61seNWwDmvdB8A9DFKHuxPqhVKxhumfoe0T+zkOUmuVRLafIv
+AGCxIVQBm1DEnuG/c6cMlgzw9qITrMgJAzqpyQDBslAxfa45+ViPHYFIpPhd+iGg
+aaj6q9Clkl3tLoZvZ1D827zMfpq1Kaog9VsxQSiaAmpC5e/N+QaPunPIZTyDtaPj
+5H7uCm27yHGG5z8yehmlDcPc2I1TjN24Dfzxi6AaiEZ/BAaUv8pTs3r4n2BAtzPm
+u0zE1vw5UsZ59QmsHRgBO6z8IYA+HhNt+sd0krYfuJ1MUiSH03uhYAiGFoqHngAN
+7w18EcsJPFUL1NTMy4dK6SaZFxIvPItbzf49Bwc03ruUt7Zy95Odz7UsjyD4msSE
+q8/DAtzFPgztBlNieUH4N0w5Qu4x3hSx3/xgp9e+7njQo7mE+yySh7NPV27HaFKz
+htsnuMaOzVMis9WLOq6egrsEaJ6BM3WRSPBa8ZjHdWYeVQ6WFLs2v7wX/j19Q9GZ
+bdWkI1wBHcyz4MLUeJESFt3uqrHeNTLm5BWaGCeqtHeeHhoAquAJdjceLcDW7Le4
+tkQj3FxLFUCKlZt9H/gyDKwDhHShONFDWPbItKHrHlmSftsOiWNt7X9r9MEaxyWh
+KIJcTV2JsrhDHcNHUDniSi0qYhVsAkLSng6xxy/A4bQIz0Jhp42+Sk0aJVj+DaBa
+5K0ctJ1f/YoQv7SjOJAMEvoGLCVPFLFbWQpDhtvfpgB7g9/qpJKL5/ixDDgfRf58
+NN9CdVs/JPpuZiSmR86gAgHrDblaBcIOtUoKBPfZweiJKowN2li934JZRs2xuamv
+HQEqEb9jJPj+eDv9FlCgCzBTdkiaLuuqU9agB6Ji8NMFDedj7rErkCUZ8tE9wqfY
+ftSfkGNUzTzPFbF5iEukTvKm42a7F/I/ExMVgpN/eQxJ7+m5TOgja0KC1h5fCN4L
+-----END RSA PRIVATE KEY-----
+</pre></td></tr></tbody></table></code></pre>
+</div>
+</div>
+<div class="paragraph">
+<p>See the <a href="#bytes_rsa_plain_legacy">plaintext example</a> for the decrypted (non-password-protected) version of this key.</p>
+</div>
+</div>
+</div>
+<div class="sect4">
+<h5 id="v1_plain"><a class="link" href="#v1_plain">3.1.2.3. v1 (Plain)</a></h5>
+<div class="admonitionblock tip">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Tip</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>Since plaintext/unencrypted keys do not have a cipher or KDF (as there&#8217;s no encryption key or algorithm used), they use the string "none" to identify these (and entirely leave out the KDF options).</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+<div class="sect5">
+<h6 id="struct_rsa_plain"><a class="link" href="#struct_rsa_plain">3.1.2.3.1. Structure</a></h6>
+<div class="listingblock">
+<div class="content">
+<pre class="rouge highlight"><code data-lang="text"><table class="linenotable"><tbody><tr><td class="linenos gl"><pre class="lineno"> 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
+24
+25
+26
+27
+28
+29
+30
+31
+32
+33
+34
+</pre></td><td class="code"><pre>0.0 "openssh-key-v1" string plus terminating nullbyte (15 bytes)
+1.0 uint32 allocator for 1.0.0 (4 bytes)
+	1.0.0 cipher name string (ASCII bytes)
+2.0 uint32 allocator for 2.0.0 (4 bytes)
+	2.0.0 KDF name string (ASCII bytes)
+3.0 uint32 allocator for KDF options (3.0.0 to 3.0.1) (4 bytes) (ALWAYS 0 for unencrypted keys, so no following substructure)
+4.0 uint32 counter for # of keys (4 bytes)
+	4.0.0 uint32 allocator for public key #n (4.0.0.0 to 4.0.0.1) (4 bytes)
+		4.0.0.0 uint32 allocator for 4.0.0.0.0 (4 bytes)
+			4.0.0.0.0 public key #n keytype string (ASCII bytes)
+		4.0.0.1 uint32 allocator for 4.0.0.1.0 (4 bytes)
+			4.0.0.1.0 public exponent ('e')
+		4.0.0.2 uint32 allocator for 4.0.0.2.0 (4 bytes)
+			4.0.0.2.0 modulus ('n')
+    4.0.1 uint32 allocator for private key structure #n (4.0.1.0 to 4.0.1.5) (4 bytes)
+        4.0.1.0 uint32 decryption "checksum" #1 (should match 4.0.1.1) (4 bytes)
+        4.0.1.1 uint32 decryption "checksum" #2 (should match 4.0.1.0) (4 bytes)
+        4.0.1.2 copy of 4.0.0.0; allocator for 4.0.1.2.0 (4 bytes)
+            4.0.1.2.0 copy of 4.0.0.0.0 (ASCII bytes)
+        4.0.1.3 copy of 4.0.0.2; allocator for 4.0.1.3.0 (4 bytes)
+            4.0.1.3.0 copy of 4.0.0.2.0 (bytes)
+        4.0.1.4 copy of 4.0.0.1; allocator for 4.0.1.4.0 (4 bytes)
+            4.0.1.4.0 copy of 4.0.0.1.0 (bytes)
+        4.0.1.5 uint32 allocator for 4.0.1.5.0 (4 bytes)
+            4.0.1.5.0 private exponent ('d')
+        4.0.1.6 uint32 allocator for 4.0.1.6.0 (4 bytes)
+            4.0.1.6.0 CRT helper value ('q^(-1) % p')
+        4.0.1.7 uint32 allocator for 4.0.1.7.0 (4 bytes)
+            4.0.1.7.0 prime #1 ('p')
+        4.0.1.8 uint32 allocator for 4.0.1.8.0 (4 bytes)
+            4.0.1.8.0 prime #2 ('q')
+        4.0.1.9 uint32 allocator for 4.0.1.9.0 (4 bytes)
+            4.0.1.9.0 comment for key #n string (ASCII bytes)
+        4.0.1.10 sequential padding
+</pre></td></tr></tbody></table></code></pre>
+</div>
+</div>
+<div class="admonitionblock note">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Note</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p><strong>Chunk 3.0.0 to 3.0.1:</strong> These blocks are not present in unencrypted keys (see the <a href="#struct_rsa_crypt">encrypted key structure</a> for what these look like). <strong>3.0</strong> reflects this, as it&#8217;s always going to be <code>00000000</code> (0).</p>
+</div>
+<div class="paragraph">
+<p><strong>Chunk 4.0:</strong> This is technically currently unused; upstream hardcodes to 1 (left zero-padded 0x01).</p>
+</div>
+<div class="paragraph">
+<p><strong>Chunk 4.0.0.1.0, 4.0.0.2.0, 4.0.1.3.0, 4.0.1.4.0:</strong> Note that the ordering of <code>e</code>/<code>n</code> in <strong>4.0.0</strong> is changed to <code>n</code>/<code>e</code> in <strong>4.0.1</strong>.</p>
+</div>
+<div class="paragraph">
+<p><strong>Chunk 4.0.1.10:</strong> The padding used aligns the private key (<strong>4.0.1.0</strong> to <strong>4.0.1.9.0</strong>) to the cipher blocksize. For plaintext keys, a blocksize of 8 is used.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+</div>
+<div class="sect5">
+<h6 id="bytes_rsa_plain"><a class="link" href="#bytes_rsa_plain">3.1.2.3.2. Example</a></h6>
+<div class="paragraph">
+<p>The following example, being encrypted, is protected with a passphrase. The passphrase used in this example key is <strong><code>test</code></strong>.</p>
+</div>
+<div class="listingblock">
+<div class="title"><code>id_rsa</code> Format</div>
+<div class="content">
+<pre class="rouge highlight"><code data-lang="text"><table class="linenotable"><tbody><tr><td class="linenos gl"><pre class="lineno"> 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
+24
+25
+26
+27
+28
+29
+30
+31
+32
+33
+34
+35
+36
+37
+38
+39
+40
+41
+42
+43
+44
+45
+46
+47
+48
+49
+</pre></td><td class="code"><pre>-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAgEAt87ARgHOKhLwySTLmjDrmQBmgSyxQ2kZPzCyuf3Ur8swDJGPKnfW
+RBDzYXrnyMoxjCV9PE304sQQi7vpOoaJS6FLNXXy9yFQvDgdy/t0LHoZaGb9MYSs6Wdhrd
+oPwpkvbIZtdWmRn8ItnEvw3kBajHbVGaoqUyncaCV3ciml0LdTp4JaiblSdfnAJeIVNDxs
+iM1mkKIh+K6e9nXuRk3H0RjaQQUH6l1rZIndYK/YpmRkkts+J58aeCQNuKu9psUHFMljZl
+CnIIHn+l1HLBQosH6uXRW2TqHip1CFEv6atlX4ajE0htPMod2OkKzFyfuk1udnUH+6ufOn
+9ox0gUKvKjcB0xqKm3URlYqncYe6cC7ZNNOFr87kI4DpXg5+m8D00jNn/HcDdBZ7fwkm+2
+/bbQWq0c/RkYJIRbAU4YFTvw0dPDsfrbslo/HRUfm2hGM9jBaQ/NjK0FqsKusj2/GaN+SA
+oAiRAxnBFtR72SSzmUJUO4ig9hJ5UrLY4SkPMCn1Qq6+nAyONs8yloZc1mQ8iSTVZuv0lx
+gJOZoawJb+Htw7X4cb9e8LTUTg6idiDSBRQuC/z2d7TbAlUyEho/B0WqTQWGMxczJXhVpc
+7L46xEA9BP8MwMWLfASQS0AhJcK8KmOiDrswnMbz5l2zAaBYuNrOB+cbOPPzWVQz9psZjw
+cAAAdQU4NHElODRxIAAAAHc3NoLXJzYQAAAgEAt87ARgHOKhLwySTLmjDrmQBmgSyxQ2kZ
+PzCyuf3Ur8swDJGPKnfWRBDzYXrnyMoxjCV9PE304sQQi7vpOoaJS6FLNXXy9yFQvDgdy/
+t0LHoZaGb9MYSs6WdhrdoPwpkvbIZtdWmRn8ItnEvw3kBajHbVGaoqUyncaCV3ciml0LdT
+p4JaiblSdfnAJeIVNDxsiM1mkKIh+K6e9nXuRk3H0RjaQQUH6l1rZIndYK/YpmRkkts+J5
+8aeCQNuKu9psUHFMljZlCnIIHn+l1HLBQosH6uXRW2TqHip1CFEv6atlX4ajE0htPMod2O
+kKzFyfuk1udnUH+6ufOn9ox0gUKvKjcB0xqKm3URlYqncYe6cC7ZNNOFr87kI4DpXg5+m8
+D00jNn/HcDdBZ7fwkm+2/bbQWq0c/RkYJIRbAU4YFTvw0dPDsfrbslo/HRUfm2hGM9jBaQ
+/NjK0FqsKusj2/GaN+SAoAiRAxnBFtR72SSzmUJUO4ig9hJ5UrLY4SkPMCn1Qq6+nAyONs
+8yloZc1mQ8iSTVZuv0lxgJOZoawJb+Htw7X4cb9e8LTUTg6idiDSBRQuC/z2d7TbAlUyEh
+o/B0WqTQWGMxczJXhVpc7L46xEA9BP8MwMWLfASQS0AhJcK8KmOiDrswnMbz5l2zAaBYuN
+rOB+cbOPPzWVQz9psZjwcAAAADAQABAAACAEmfLHBeBL/hekR20n5eHd/YwzX2OsIvdIdU
+8CGDRA9tqT8/hkKSYWY+C939pp1ML3BdC7590xqJQb9WcuKYRKHgZwlwxvKpi3b4Wyb6/t
+tZxJeGuN9+ruuGFx/Vef6N8OrdJTakJEoDMtWprT64NAyTBGQVPoK0/61PZHp7qAjjhURQ
++Aa2DgtnD8mctrWHhkl9TBmed1DuUImTTu8l9GUSOUlVxIfhB0Tr25oAlRyAlbAk1M518d
+oxRrWzRHFp9Z4j1AaFQ4vHvK0Rc5J6OJoJA7oRGkaAnRI7NDIZfMqPwMJ4FvvyFcK3xYS5
+TzfJ7YqOgVlC7/3PVHVyaK/lj9cAzc9qmKIJUGF7BiSqg12V4n16/N7nDDl8obaqBHNebV
+xeAb//IXTPVi02hCYkSQ4SyoFCWV1SVnSU84shJAEsrKyyVk4hyEXrlPXW6/bzkGbh+gSz
+GBdOb5mUgjuk2e8sKLN8s+oF+jytcgCJg5QnaDVSPk5BYFTyPbDrcyIR06EepVE5CujVjW
+nhRmTg4g8r8MzSTSYLgyqUFE9YAep827JDbyG6LbrsvNVz8kxeDUP9JrSuZ2ThON2vR3Ws
+AWPkVyfBACf3FsvjzHD/9zRBuyU45UJqGlY4tEinveloBB7CGE72ew2mAHApfNc97u/r0Z
+UWEcendslW4Y5fFjohAAABAAri4c8kVaDYInLmpCu7qD63ZUluWjPhO4yUdW2MMvfXUF/Z
+l73V7AjFm/jR1lnR3wK+xmnrtaqvXbHscM4vKms6F7ex/OOtxiA8KQXNZS12IgZd0BGuM4
+lEZ8bco2Q5UrDK7f+bx4rEBAgHQCdWbuTEdRrT/0UqJ4Gvi1wsm/CbNO5eYgEzC0vDga92
+Z5hmfFua0HM8GfTvR1/SZGVeAwVT8vL43lnCrudLndZyDjEIFD3+3UHPS8Ed4rmp9A+uxy
+pSMSq+5MYVWs/uk4ShY0jHFTRuvmk4lf5tI0jU3tsKE3xIcYX/lJwgkRW5yKEGMpmR8Eno
+Qwx7pg3VQI1yrJgAAAEBAOULZbpq5MsprmYSnD5B/+ujbNbsuqcEX/kM6nHQm8BWsLkTTc
+V1TEnaH+irFpzRSe7a7M9JE9kV9PJBxf2Gx3UR4MJhw0RgCoTM546M9JPkkoRMuCxCq20S
+RqU+XPUK1HWcKlwJ1TscXDtEkyjuoBQ01uU3s6UTko363fCnJygjiZuNeVIgyzNEq40OhG
+4eQP/ftccZJiwrUnqJClH6q88QkEaZE197mXSH9LSNRJCtgPwls0b6C7WH8JKVvw9xrBCo
+CGhn1LrQCgwnpkVvCODCv4yu2HaPA2aiRAQoGAopJhevYf6rq5pwdbi8ISCaVDm7/jYTkX
+Bx/udKjV2A/pkAAAEBAM1wd2WfrZgxBLzH3FJiQrnqUs6kDpI993GsKijjd/K5IxpYwkSM
+a40X/oNXHva9u8EfPUq0JU6oWWhLh3KRH5xvNVR5BT4+PTpuzOE6AWkIKYyj+LYo0hEXSa
+NidijrBYRPVGeVpQZ9ObHTBOGcxvwb4AphZOoz5Ku8h/VoMicdglyGjFzNo3dbA3cR6ZQ2
++WxT83gLmFCE4dhKRYxoerCTigm/b5s//sQe0C/VsnVyx9GAA55AWlWbYvwI+ASxnwQ9uk
+xvdWWxxydZ9Lky1Pk9T0HakbGxRvKYVKEAg0HkdgvdSYcJfsSmVRq5bgmaBKONaok7Uz2x
+hau1VzZBnp8AAAAYVGhpcyBpcyBhIGNvbW1lbnQgc3RyaW5nAQID
+-----END OPENSSH PRIVATE KEY-----
+</pre></td></tr></tbody></table></code></pre>
+</div>
+</div>
+<div class="listingblock">
+<div class="title">Structure Reference (Hex) (Decoded Base64)</div>
+<div class="content">
+<pre class="rouge highlight"><code data-lang="text"><table class="linenotable"><tbody><tr><td class="linenos gl"><pre class="lineno">  1
+  2
+  3
+  4
+  5
+  6
+  7
+  8
+  9
+ 10
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 17
+ 18
+ 19
+ 20
+ 21
+ 22
+ 23
+ 24
+ 25
+ 26
+ 27
+ 28
+ 29
+ 30
+ 31
+ 32
+ 33
+ 34
+ 35
+ 36
+ 37
+ 38
+ 39
+ 40
+ 41
+ 42
+ 43
+ 44
+ 45
+ 46
+ 47
+ 48
+ 49
+ 50
+ 51
+ 52
+ 53
+ 54
+ 55
+ 56
+ 57
+ 58
+ 59
+ 60
+ 61
+ 62
+ 63
+ 64
+ 65
+ 66
+ 67
+ 68
+ 69
+ 70
+ 71
+ 72
+ 73
+ 74
+ 75
+ 76
+ 77
+ 78
+ 79
+ 80
+ 81
+ 82
+ 83
+ 84
+ 85
+ 86
+ 87
+ 88
+ 89
+ 90
+ 91
+ 92
+ 93
+ 94
+ 95
+ 96
+ 97
+ 98
+ 99
+100
+101
+102
+103
+104
+</pre></td><td class="code"><pre>0.0 6f70656e7373682d6b65792d763100 ("openssh-key-v1" + 0x00)
+1.0 0000000a (10)
+    1.0.0 6165733235362d637472 ("none")
+2.0 00000006 (6)
+    2.0.0 626372797074 ("none")
+3.0 00000000 (0)
+4.0 00000001 (1)
+    4.0.0 00000217 (535)
+        4.0.0.0 00000007 (7)
+            4.0.0.0.0 7373682d727361 ("ssh-rsa")
+        4.0.0.1 00000003 (3)
+            4.0.0.1.0 010001 (65537)
+        4.0.0.2 00000201 (513)
+            4.0.0.2.0 00b7cec04601ce2a12f0c924cb9a30eb990066812cb14369193f30b2b9fdd4af
+                      cb300c918f2a77d64410f3617ae7c8ca318c257d3c4df4e2c4108bbbe93a8689
+                      4ba14b3575f2f72150bc381dcbfb742c7a196866fd3184ace96761adda0fc299
+                      2f6c866d7569919fc22d9c4bf0de405a8c76d519aa2a5329dc6825777229a5d0
+                      b753a7825a89b95275f9c025e215343c6c88cd6690a221f8ae9ef675ee464dc7
+                      d118da410507ea5d6b6489dd60afd8a6646492db3e279f1a78240db8abbda6c5
+                      0714c9636650a72081e7fa5d472c1428b07eae5d15b64ea1e2a7508512fe9ab6
+                      55f86a313486d3cca1dd8e90acc5c9fba4d6e767507fbab9f3a7f68c748142af
+                      2a3701d31a8a9b7511958aa77187ba702ed934d385afcee42380e95e0e7e9bc0
+                      f4d23367fc770374167b7f0926fb6fdb6d05aad1cfd191824845b014e18153bf
+                      0d1d3c3b1fadbb25a3f1d151f9b684633d8c1690fcd8cad05aac2aeb23dbf19a
+                      37e480a008910319c116d47bd924b39942543b88a0f6127952b2d8e1290f3029
+                      f542aebe9c0c8e36cf3296865cd6643c8924d566ebf4971809399a1ac096fe1e
+                      dc3b5f871bf5ef0b4d44e0ea27620d205142e0bfcf677b4db025532121a3f074
+                      5aa4d0586331733257855a5cecbe3ac4403d04ff0cc0c58b7c04904b402125c2
+                      bc2a63a20ebb309cc6f3e65db301a058b8dace07e71b38f3f3595433f69b198f
+                      07 (bytes)
+    4.0.1 00000750 (1872)
+        4.0.1.0 53834712 (1401112338)
+        4.0.1.1 53834712 (1401112338)
+        4.0.1.2 00000007 (7)
+            4.0.1.2.0 7373682d727361 ("ssh-rsa")
+        4.0.1.3 00000201 (513)
+            4.0.1.3.0 00b7cec04601ce2a12f0c924cb9a30eb990066812cb14369193f30b2b9fdd4af
+                      cb300c918f2a77d64410f3617ae7c8ca318c257d3c4df4e2c4108bbbe93a8689
+                      4ba14b3575f2f72150bc381dcbfb742c7a196866fd3184ace96761adda0fc299
+                      2f6c866d7569919fc22d9c4bf0de405a8c76d519aa2a5329dc6825777229a5d0
+                      b753a7825a89b95275f9c025e215343c6c88cd6690a221f8ae9ef675ee464dc7
+                      d118da410507ea5d6b6489dd60afd8a6646492db3e279f1a78240db8abbda6c5
+                      0714c9636650a72081e7fa5d472c1428b07eae5d15b64ea1e2a7508512fe9ab6
+                      55f86a313486d3cca1dd8e90acc5c9fba4d6e767507fbab9f3a7f68c748142af
+                      2a3701d31a8a9b7511958aa77187ba702ed934d385afcee42380e95e0e7e9bc0
+                      f4d23367fc770374167b7f0926fb6fdb6d05aad1cfd191824845b014e18153bf
+                      0d1d3c3b1fadbb25a3f1d151f9b684633d8c1690fcd8cad05aac2aeb23dbf19a
+                      37e480a008910319c116d47bd924b39942543b88a0f6127952b2d8e1290f3029
+                      f542aebe9c0c8e36cf3296865cd6643c8924d566ebf4971809399a1ac096fe1e
+                      dc3b5f871bf5ef0b4d44e0ea27620d205142e0bfcf677b4db025532121a3f074
+                      5aa4d0586331733257855a5cecbe3ac4403d04ff0cc0c58b7c04904b402125c2
+                      bc2a63a20ebb309cc6f3e65db301a058b8dace07e71b38f3f3595433f69b198f
+                      07 (bytes)
+        4.0.1.4 00000003 (3)
+            4.0.1.4.0 010001 (65537)
+        4.0.1.5 00000200 (512)
+            4.0.1.5.0 499f2c705e04bfe17a4476d27e5e1ddfd8c335f63ac22f748754f02183440f6d
+                      a93f3f86429261663e0bddfda69d4c2f705d0bbe7dd31a8941bf5672e29844a1
+                      e0670970c6f2a98b76f85b26fafedb59c49786b8df7eaeeb86171fd579fe8df0
+                      eadd2536a4244a0332d5a9ad3eb8340c930464153e82b4ffad4f647a7ba808e3
+                      854450f806b60e0b670fc99cb6b58786497d4c199e7750ee5089934eef25f465
+                      12394955c487e10744ebdb9a00951c8095b024d4ce75f1da3146b5b3447169f5
+                      9e23d40685438bc7bcad1173927a389a0903ba111a46809d123b3432197cca8f
+                      c0c27816fbf215c2b7c584b94f37c9ed8a8e815942effdcf54757268afe58fd7
+                      00cdcf6a98a20950617b0624aa835d95e27d7afcdee70c397ca1b6aa04735e6d
+                      5c5e01bfff2174cf562d36842624490e12ca8142595d52567494f38b2124012c
+                      acacb2564e21c845eb94f5d6ebf6f39066e1fa04b318174e6f9994823ba4d9ef
+                      2c28b37cb3ea05fa3cad7200898394276835523e4e416054f23db0eb732211d3
+                      a11ea551390ae8d58d69e14664e0e20f2bf0ccd24d260b832a94144f5801ea7c
+                      dbb2436f21ba2dbaecbcd573f24c5e0d43fd26b4ae6764e138ddaf4775ac0163
+                      e45727c10027f716cbe3cc70fff73441bb2538e5426a1a5638b448a7bde96804
+                      1ec2184ef67b0da60070297cd73deeefebd1951611c7a776c956e18e5f163a21 (bytes)
+        4.0.1.6 00000100 (256)
+            4.0.1.6.0 0ae2e1cf2455a0d82272e6a42bbba83eb765496e5a33e13b8c94756d8c32f7d7
+                      505fd997bdd5ec08c59bf8d1d659d1df02bec669ebb5aaaf5db1ec70ce2f2a6b
+                      3a17b7b1fce3adc6203c2905cd652d7622065dd011ae33894467c6dca3643952
+                      b0caedff9bc78ac40408074027566ee4c4751ad3ff452a2781af8b5c2c9bf09b
+                      34ee5e6201330b4bc381af766798667c5b9ad0733c19f4ef475fd264655e0305
+                      53f2f2f8de59c2aee74b9dd6720e3108143dfedd41cf4bc11de2b9a9f40faec7
+                      2a52312abee4c6155acfee9384a16348c715346ebe693895fe6d2348d4dedb0a
+                      137c487185ff949c209115b9c8a106329991f049e8430c7ba60dd5408d72ac98 (bytes)
+        4.0.1.7 00000101 (257)
+            4.0.1.7.0 00e50b65ba6ae4cb29ae66129c3e41ffeba36cd6ecbaa7045ff90cea71d09bc0
+                      56b0b9134dc5754c49da1fe8ab169cd149eedaeccf4913d915f4f241c5fd86c7
+                      7511e0c261c344600a84cce78e8cf493e492844cb82c42ab6d1246a53e5cf50a
+                      d4759c2a5c09d53b1c5c3b449328eea01434d6e537b3a513928dfaddf0a72728
+                      23899b8d795220cb3344ab8d0e846e1e40ffdfb5c719262c2b527a890a51faab
+                      cf10904699135f7b997487f4b48d4490ad80fc25b346fa0bb587f09295bf0f71
+                      ac10a8086867d4bad00a0c27a6456f08e0c2bf8caed8768f0366a2440428180a
+                      292617af61feabab9a7075b8bc21209a5439bbfe3613917071fee74a8d5d80fe
+                      99 (bytes)
+        4.0.1.8 00000101 (257)
+            4.0.1.8.0 00cd7077659fad983104bcc7dc526242b9ea52cea40e923df771ac2a28e377f2
+                      b9231a58c2448c6b8d17fe83571ef6bdbbc11f3d4ab4254ea859684b8772911f
+                      9c6f355479053e3e3d3a6ecce13a016908298ca3f8b628d2111749a3627628eb
+                      05844f546795a5067d39b1d304e19cc6fc1be00a6164ea33e4abbc87f5683227
+                      1d825c868c5ccda3775b037711e99436f96c53f3780b985084e1d84a458c687a
+                      b0938a09bf6f9b3ffec41ed02fd5b27572c7d180039e405a559b62fc08f804b1
+                      9f043dba4c6f7565b1c72759f4b932d4f93d4f41da91b1b146f29854a1008341
+                      e4760bdd4987097ec4a6551ab96e099a04a38d6a893b533db185abb55736419e
+                      9f (bytes)
+        4.0.1.9 00000018 (24)
+            4.0.1.9.0 54686973206973206120636f6d6d656e7420737472696e67 ("This is a comment string")
+        4.0.1.10 010203 ([1 2 3], 3 bytes)
+</pre></td></tr></tbody></table></code></pre>
+</div>
+</div>
+</div>
+</div>
+<div class="sect4">
+<h5 id="v1_encrypted"><a class="link" href="#v1_encrypted">3.1.2.4. v1 (Encrypted)</a></h5>
+<div class="admonitionblock tip">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Tip</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>Currently, the only supported KDF is <strong>bcrypt_pbkdf</strong> (<code>bcrypt</code>).</p>
+</div>
+<div class="paragraph">
+<p>See the following for more details:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p><a href="https://flak.tedunangst.com/post/new-openssh-key-format-and-bcrypt-pbkdf" class="bare">https://flak.tedunangst.com/post/new-openssh-key-format-and-bcrypt-pbkdf</a></p>
+</li>
+<li>
+<p><a href="http://www.tedunangst.com/flak/post/bcrypt-pbkdf" class="bare">http://www.tedunangst.com/flak/post/bcrypt-pbkdf</a></p>
+</li>
+<li>
+<p><a href="https://www.usenix.org/legacy/events/usenix99/provos/provos_html/node1.html" class="bare">https://www.usenix.org/legacy/events/usenix99/provos/provos_html/node1.html</a></p>
+</li>
+<li>
+<p><a href="https://datatracker.ietf.org/doc/html/rfc2898" class="bare">https://datatracker.ietf.org/doc/html/rfc2898</a></p>
+</li>
+</ul>
+</div>
+</td>
+</tr>
+</table>
+</div>
+<div class="admonitionblock tip">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Tip</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>You can get a list of supported ciphers (<strong>1.0.0</strong>) via <code>ssh -Q cipher</code> on most systems.
+Note that <strong>1.0.0</strong> has nothing to do with SSH connections themselves; it&#8217;s <strong>only</strong> for the encryption of <strong>4.0.1</strong>.</p>
+</div>
+<div class="paragraph">
+<p>This is likely going to be:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p><code>3des-cbc</code></p>
+</li>
+<li>
+<p><code>aes128-cbc</code></p>
+</li>
+<li>
+<p><code>aes192-cbc</code></p>
+</li>
+<li>
+<p><code>aes256-cbc</code></p>
+</li>
+<li>
+<p><code>rijndael-cbc@lysator.liu.se</code> <em>(may not be present on all systems)</em></p>
+</li>
+<li>
+<p><code>aes128-ctr</code></p>
+</li>
+<li>
+<p><code>aes192-ctr</code></p>
+</li>
+<li>
+<p><code>aes256-ctr</code></p>
+</li>
+<li>
+<p><code>aes128-gcm@openssh.com</code></p>
+</li>
+<li>
+<p><code>aes256-gcm@openssh.com</code></p>
+</li>
+<li>
+<p><code>chacha20-poly1305@openssh.com</code></p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>The author recommends using <code>aes256-ctr</code>. It is currently the upstream default.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+<div class="sect5">
+<h6 id="struct_rsa_crypt"><a class="link" href="#struct_rsa_crypt">3.1.2.4.1. Structure</a></h6>
+<div class="listingblock">
+<div class="content">
+<pre class="rouge highlight"><code data-lang="text"><table class="linenotable"><tbody><tr><td class="linenos gl"><pre class="lineno"> 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+</pre></td><td class="code"><pre>
+0.0 "openssh-key-v1" string plus terminating nullbyte (15 bytes)
+1.0 uint32 allocator for 1.0.0 (4 bytes)
+	1.0.0 cipher name string (ASCII bytes)
+2.0 uint32 allocator for 2.0.0
+	2.0.0 KDF name string (ASCII bytes)
+3.0 uint32 allocator for KDF options (3.0.0 to 3.0.1) (4 bytes)
+    3.0.0 uint32 allocator for 3.0.0.0 (4 bytes)
+        3.0.0.0 Salt/IV (bytes)
+    3.0.1 uint32 for number of rounds/"work factor" (4 bytes)
+4.0 uint32 counter for # of keys (4 bytes)
+	4.0.0 uint32 allocator for public key #n (4.0.0.0 to 4.0.0.1) (4 bytes)
+		4.0.0.0 uint32 allocator for 4.0.0.0.0 (4 bytes)
+			4.0.0.0.0 public key #n keytype string (ASCII bytes)
+		4.0.0.1 uint32 allocator for 4.0.0.1.0 (4 bytes)
+			4.0.0.1.0 public exponent ('e')
+		4.0.0.2 uint32 allocator for 4.0.0.2.0 (4 bytes)
+			4.0.0.2.0 modulus ('n')
+	4.0.1 uint32 allocator for encrypted private key structure blob #n (4.0.1.0) (4 bytes)
+		4.0.1.0 &lt;ENCRYPTED BLOB&gt;
+</pre></td></tr></tbody></table></code></pre>
+</div>
+</div>
+<div class="admonitionblock note">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Note</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p><strong>Chunk 4.0:</strong> This is technically currently unused; upstream hardcodes to 1 (left zero-padded 0x01).</p>
+</div>
+<div class="paragraph">
+<p><strong>Chunk 4.0.1.0:</strong> When decrypted, this is equivalent to the <a href="#struct_rsa_plain">plaintext</a> <strong>4.0.1.0</strong> to <strong>4.0.1.6</strong>. It uses a padded size appropriate to the encryption cipher used.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+</div>
+<div class="sect5">
+<h6 id="bytes_rsa_crypt"><a class="link" href="#bytes_rsa_crypt">3.1.2.4.2. Example</a></h6>
+<div class="paragraph">
+<p>The following example, being encrypted, is protected with a passphrase. The passphrase used in this example key is <strong><code>test</code></strong>.</p>
+</div>
+<div class="listingblock">
+<div class="title"><code>id_rsa</code> Format</div>
+<div class="content">
+<pre class="rouge highlight"><code data-lang="text"><table class="linenotable"><tbody><tr><td class="linenos gl"><pre class="lineno"> 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
+24
+25
+26
+27
+28
+29
+30
+31
+32
+33
+34
+35
+36
+37
+38
+39
+40
+41
+42
+43
+44
+45
+46
+47
+48
+49
+50
+</pre></td><td class="code"><pre>-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAH1LB8Cx
+KDSJFkiACNbhMLAAAAZAAAAAEAAAIXAAAAB3NzaC1yc2EAAAADAQABAAACAQC3zsBGAc4q
+EvDJJMuaMOuZAGaBLLFDaRk/MLK5/dSvyzAMkY8qd9ZEEPNheufIyjGMJX08TfTixBCLu+
+k6holLoUs1dfL3IVC8OB3L+3QsehloZv0xhKzpZ2Gt2g/CmS9shm11aZGfwi2cS/DeQFqM
+dtUZqipTKdxoJXdyKaXQt1OnglqJuVJ1+cAl4hU0PGyIzWaQoiH4rp72de5GTcfRGNpBBQ
+fqXWtkid1gr9imZGSS2z4nnxp4JA24q72mxQcUyWNmUKcggef6XUcsFCiwfq5dFbZOoeKn
+UIUS/pq2VfhqMTSG08yh3Y6QrMXJ+6TW52dQf7q586f2jHSBQq8qNwHTGoqbdRGViqdxh7
+pwLtk004WvzuQjgOleDn6bwPTSM2f8dwN0Fnt/CSb7b9ttBarRz9GRgkhFsBThgVO/DR08
+Ox+tuyWj8dFR+baEYz2MFpD82MrQWqwq6yPb8Zo35ICgCJEDGcEW1HvZJLOZQlQ7iKD2En
+lSstjhKQ8wKfVCrr6cDI42zzKWhlzWZDyJJNVm6/SXGAk5mhrAlv4e3Dtfhxv17wtNRODq
+J2INIFFC4L/PZ3tNsCVTISGj8HRapNBYYzFzMleFWlzsvjrEQD0E/wzAxYt8BJBLQCElwr
+wqY6IOuzCcxvPmXbMBoFi42s4H5xs48/NZVDP2mxmPBwAAB1CWbizkNSQv7wl4f26Nk6Vj
+CS4/O8mGtEGYyB6AScXJREGe/8BSFAHcHvW8Dk1q7et9BYgLw/cxaYubzuzq4I5eBfefTS
+LelTyJnDJxhQ6A6AT5saebzsMbuhHAjbYPm9Iga8PXv+90iV5PTjcgZJ+SRUT0os6lud+5
+zAor2PO6cPS6Ln9ClgRlyereEYYw+cgy/oTvVIUpl50NbqB5+dXEDjlrCY/FCUSNJt48tI
+SwM0r6yro3G1LDfBIKViMXDB0KOTSKFRyfuKqxBJ9SzwwIx3FErzFCWakISPPcYuWDH6wI
+cgscgTUG8dseeUDe9S3EbJfWNjzaD/fiJY4mN9LgnyYJm7/qx4gZGYt4N00kJFN/5Umiqz
+3dr19/23OcOSEGSwT2/8/rVUTbUzF5A44R0MxiKZK8bQYAWE1AaKKJHcdIycFr4ywqCOls
+qi3exN3Roqs7AYoLDxZqFayHCjDIDMiX2/Fa9+jCkVs2FvI3pmRuQ8Zl91aaXtGFCtjNBU
+AG04lWjbVTk+eA51Ks6PBrcPHpnYa5RF2cGnpkdry/SEQApY5aWnPSwg1jCpmFu/TGkau2
+HuRRWqZKcn57rEpe17tfdnx9zwA1kEIxKD2SRFhjcCqZXnkr3h1ax91iSJh7n+SwpvGDfO
+T7qgMv9Gcahr6Mfk+b43GCEurQpvG0KYiGO/gK8XqYFPH/vtbIHn9Z3luMcbn1cfxVbMVq
+7iK+G1fUj4ynajeYR8Z9DOtD6tEBNV5UGlfCVK6BTwWKA2GS9J2WI2yIQo5fVNr+/RpbjK
+Ethc84M9ONgWxuDiBRQ/M+NTxHGryXjSjRrImnJNWqs+fEgBXFzTpvMcJYzvExJXTmksbk
+laKo777nhan+HHJzeeof3FtJKoOkr/ezlFrvUDqV3FKyFHQXK7VAVLEGNC8r3mvDitFmwa
+XG2IaFuAZ/UpdBs2mRNS1d8Skbnjx0anHivaeW/d2sKdDi8/rf0fD9M9p1vGFR0+4n9hme
+dsO56HL7Y7VK14sPvivoTxDX5IM5xuYzZFBwdK3cWivYxL5YSMKRvbJ0DTqjJcNQOWzijg
+hu7N1iVvSPt5R7hOhXWbHH5t2RIj4/go5CU6fsbZh61hvSF5wimiDo2X5hWMsL5zQidpi0
+aVx4TEY8rD6n1TgFbVBiqJX4rmRUm9WEhKYDY6uBvEPm/eDuEkdwUbU8lw8GPfLw/y/WVb
+f4ECm+VFzIQfcyHTEwTuuiEP34/a1+G8iszU2ZDAWLMIF+heLFaVq5LB4SmsdHHzOP3TlO
+3hYHFFDBkGHgfBNcvofwEmCzYgbLwWnIW53aJvs9/159aP1RpXNALbzB3H9JocucNBALmz
+0LuLhjnGnH1HSQq4PIkYrQOuYu7kMWXkUvhU2NQTIYbCH3Qu5KPMYUUVrcfAiUCDhThQP1
+xNV4HphMrZPPeo0Xpo1nizRmr7rjYgVdW27bAAe1kjHTBA2/7IuXgrOcOREW8gN+IYv6uk
+bFLFYYCu7yQdkY8hSwtkgLc4KHWtnazkSWw2guoqaXtf5DsQfZPhl2slQNv9oq4iO8GoTW
+Xg1nAlE7jMRCol+5g6rfpJLQnj39mR+fR0cLtzNp9jTdUNqybRKcO6CWrXlxHw7kQZwSJu
+uNpCZ0ss936PSj92zp6eJJtNH8x3jvMY29Z3hVbA+YeOvm6DJJFteCgPI/fjkhsptCu6bK
+LXgDmcpO08stA2yb7YCyNYCRmEIhNeLYQsj1Ok3Vn+C+2InUeEAWQCSx9mjMVml41DHrKg
+eiDtBuV1VR4bAw2xNQ6UySmgKKXcJTQONDTyJQ4/Sd4XG7hQh10oAFDklVRLpxtx6jbCk3
+rWWT4rW8oovDjlnOqR8mzRyoqkvZ+8HGBa5Grj9Vmzpuv4n/Vp/zZcPLpLS5H2Zf/aOXGI
+/iPqRWyALEeoBihE1AT6tBoPqD/Q3Wbk21ERXwJhl/TImhvygka6mWbKKXOw86+kMVSJal
+a/4hU9+qo8zSqwEbf5FHDL3ASvfP4XA95wQPTXd3sGh2nUA1N3zHZk9Aa11pNWqjMEXEM0
+oeLOYC6isexmY1LRS1mW2tRRpMuIbGYUPcJfjxvPDtJT/ryXM0MuraNaavyYJ0n6DsaAqI
+HbBhceo3+oM4HskKavovJp2doHyPMCFh4myaTCHCVgztgRvfa+QC02ri8R+IQ1EkHneaIv
+i2mo4+6qZ25xUBQ6ZrOpLU2s6fT5th4/fgqnZWyBjs+1MwNFfVHnTn7InPA4yac/ODQ4Po
+ItL1DDp3daoOY7EnohTbdJDkiPfukXgqkN4y9KsiYBr3sZD8xqKS5C4vi2nKrOmUsSfp+R
+UyttjDt84I+ZHSaSILzu7X1OYVFSPmPkG80nFU/Tp/c3DASxJYcVQT7F8X9RuqmejlzVms
+evF9rs0OiSYAJAOrh6Qi5CKm+xGGtbt9sl+v/trSR/10GyRhqjuWEjQhQq8Q3s7+AMALN6
+ZnrXZl+8QIW1MSvaaQFmJFqTs=
+-----END OPENSSH PRIVATE KEY-----
+</pre></td></tr></tbody></table></code></pre>
+</div>
+</div>
+<div class="listingblock">
+<div class="title">Structure Reference (Hex) (Decoded Base64)</div>
+<div class="content">
+<pre class="rouge highlight"><code data-lang="text"><table class="linenotable"><tbody><tr><td class="linenos gl"><pre class="lineno"> 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
+24
+25
+26
+27
+28
+29
+30
+31
+32
+33
+34
+35
+36
+37
+38
+39
+40
+41
+42
+43
+44
+45
+46
+47
+48
+49
+50
+51
+52
+53
+54
+55
+56
+57
+58
+59
+60
+61
+62
+63
+64
+65
+66
+67
+68
+69
+70
+71
+72
+73
+74
+75
+76
+77
+78
+79
+80
+81
+82
+83
+84
+85
+86
+87
+88
+89
+90
+91
+92
+93
+</pre></td><td class="code"><pre>0.0 6f70656e7373682d6b65792d763100 ("openssh-key-v1" + 0x00)
+1.0 0000000a (10)
+    1.0.0 6165733235362d637472 ("aes256-ctr")
+2.0 00000006 (6)
+    2.0.0 626372797074 ("bcrypt")
+3.0 00000018 (24)
+    3.0.0 00000010 (16)
+        3.0.0.0 07d4b07c0b128348916488008d6e130b (bytes)
+    3.0.1 00000064 (100)
+4.0 00000001 (1)
+    4.0.0 00000217 (535)
+        4.0.0.0 00000007 (7)
+            4.0.0.0.0 7373682d727361 ("ssh-rsa")
+        4.0.0.1 00000003 (3)
+            4.0.0.1.0 010001 (65537)
+        4.0.0.2 00000201 (513)
+            4.0.0.2.0 00b7cec04601ce2a12f0c924cb9a30eb990066812cb14369193f30b2b9fdd4af
+                      cb300c918f2a77d64410f3617ae7c8ca318c257d3c4df4e2c4108bbbe93a8689
+                      4ba14b3575f2f72150bc381dcbfb742c7a196866fd3184ace96761adda0fc299
+                      2f6c866d7569919fc22d9c4bf0de405a8c76d519aa2a5329dc6825777229a5d0
+                      b753a7825a89b95275f9c025e215343c6c88cd6690a221f8ae9ef675ee464dc7
+                      d118da410507ea5d6b6489dd60afd8a6646492db3e279f1a78240db8abbda6c5
+                      0714c9636650a72081e7fa5d472c1428b07eae5d15b64ea1e2a7508512fe9ab6
+                      55f86a313486d3cca1dd8e90acc5c9fba4d6e767507fbab9f3a7f68c748142af
+                      2a3701d31a8a9b7511958aa77187ba702ed934d385afcee42380e95e0e7e9bc0
+                      f4d23367fc770374167b7f0926fb6fdb6d05aad1cfd191824845b014e18153bf
+                      0d1d3c3b1fadbb25a3f1d151f9b684633d8c1690fcd8cad05aac2aeb23dbf19a
+                      37e480a008910319c116d47bd924b39942543b88a0f6127952b2d8e1290f3029
+                      f542aebe9c0c8e36cf3296865cd6643c8924d566ebf4971809399a1ac096fe1e
+                      dc3b5f871bf5ef0b4d44e0ea27620d205142e0bfcf677b4db025532121a3f074
+                      5aa4d0586331733257855a5cecbe3ac4403d04ff0cc0c58b7c04904b402125c2
+                      bc2a63a20ebb309cc6f3e65db301a058b8dace07e71b38f3f3595433f69b198f
+                      07 (bytes)
+    4.0.1 00000750 (1872)
+        4.0.1.0 966e2ce435242fef09787f6e8d93a563092e3f3bc986b44198c81e8049c5c944
+                419effc0521401dc1ef5bc0e4d6aedeb7d05880bc3f731698b9bceeceae08e5e
+                05f79f4d22de953c899c3271850e80e804f9b1a79bcec31bba11c08db60f9bd2
+                206bc3d7bfef74895e4f4e3720649f924544f4a2cea5b9dfb9cc0a2bd8f3ba70
+                f4ba2e7f42960465c9eade118630f9c832fe84ef548529979d0d6ea079f9d5c4
+                0e396b098fc509448d26de3cb484b0334afacaba371b52c37c120a5623170c1d
+                0a39348a151c9fb8aab1049f52cf0c08c77144af314259a90848f3dc62e5831f
+                ac08720b1c813506f1db1e7940def52dc46c97d6363cda0ff7e2258e2637d2e0
+                9f26099bbfeac78819198b78374d2424537fe549a2ab3dddaf5f7fdb739c3921
+                064b04f6ffcfeb5544db533179038e11d0cc622992bc6d0600584d4068a2891d
+                c748c9c16be32c2a08e96caa2ddec4ddd1a2ab3b018a0b0f166a15ac870a30c8
+                0cc897dbf15af7e8c2915b3616f237a6646e43c665f7569a5ed1850ad8cd0540
+                06d389568db55393e780e752ace8f06b70f1e99d86b9445d9c1a7a6476bcbf48
+                4400a58e5a5a73d2c20d630a9985bbf4c691abb61ee4515aa64a727e7bac4a5e
+                d7bb5f767c7dcf0035904231283d92445863702a995e792bde1d5ac7dd624898
+                7b9fe4b0a6f1837ce4fbaa032ff4671a86be8c7e4f9be3718212ead0a6f1b429
+                88863bf80af17a9814f1ffbed6c81e7f59de5b8c71b9f571fc556cc56aee22be
+                1b57d48f8ca76a379847c67d0ceb43ead101355e541a57c254ae814f058a0361
+                92f49d96236c88428e5f54dafefd1a5b8ca12d85cf3833d38d816c6e0e205143
+                f33e353c471abc978d28d1ac89a724d5aab3e7c48015c5cd3a6f31c258cef131
+                2574e692c6e495a2a8efbee785a9fe1c727379ea1fdc5b492a83a4aff7b3945a
+                ef503a95dc52b21474172bb54054b106342f2bde6bc38ad166c1a5c6d88685b8
+                067f529741b36991352d5df1291b9e3c746a71e2bda796fdddac29d0e2f3fadf
+                d1f0fd33da75bc6151d3ee27f6199e76c3b9e872fb63b54ad78b0fbe2be84f10
+                d7e48339c6e63364507074addc5a2bd8c4be5848c291bdb2740d3aa325c35039
+                6ce28e086eecdd6256f48fb7947b84e85759b1c7e6dd91223e3f828e4253a7ec
+                6d987ad61bd2179c229a20e8d97e6158cb0be734227698b4695c784c463cac3e
+                a7d538056d5062a895f8ae64549bd58484a60363ab81bc43e6fde0ee12477051
+                b53c970f063df2f0ff2fd655b7f81029be545cc841f7321d31304eeba210fdf8
+                fdad7e1bc8accd4d990c058b30817e85e2c5695ab92c1e129ac7471f338fdd39
+                4ede16071450c19061e07c135cbe87f01260b36206cbc169c85b9dda26fb3dff
+                5e7d68fd51a573402dbcc1dc7f49a1cb9c34100b9b3d0bb8b8639c69c7d47490
+                ab83c8918ad03ae62eee43165e452f854d8d4132186c21f742ee4a3cc614515a
+                dc7c08940838538503f5c4d5781e984cad93cf7a8d17a68d678b3466afbae362
+                055d5b6edb0007b59231d3040dbfec8b9782b39c391116f2037e218bfaba46c5
+                2c56180aeef241d918f214b0b6480b7382875ad9dace4496c3682ea2a697b5fe
+                43b107d93e1976b2540dbfda2ae223bc1a84d65e0d6702513b8cc442a25fb983
+                aadfa492d09e3dfd991f9f47470bb73369f634dd50dab26d129c3ba096ad7971
+                1f0ee4419c1226eb8da42674b2cf77e8f4a3f76ce9e9e249b4d1fcc778ef318d
+                bd6778556c0f9878ebe6e8324916d78280f23f7e3921b29b42bba6ca2d780399
+                ca4ed3cb2d036c9bed80b235809198422135e2d842c8f53a4dd59fe0bed889d4
+                7840164024b1f668cc566978d431eb2a07a20ed06e575551e1b030db1350e94c
+                929a028a5dc25340e3434f2250e3f49de171bb850875d280050e495544ba71b7
+                1ea36c2937ad6593e2b5bca28bc38e59cea91f26cd1ca8aa4bd9fbc1c605ae46
+                ae3f559b3a6ebf89ff569ff365c3cba4b4b91f665ffda397188fe23ea456c802
+                c47a8062844d404fab41a0fa83fd0dd66e4db51115f026197f4c89a1bf28246b
+                a9966ca2973b0f3afa43154896a56bfe2153dfaaa3ccd2ab011b7f91470cbdc0
+                4af7cfe1703de7040f4d7777b068769d4035377cc7664f406b5d69356aa33045
+                c4334a1e2ce602ea2b1ec666352d14b5996dad451a4cb886c66143dc25f8f1bc
+                f0ed253febc9733432eada35a6afc982749fa0ec680a881db06171ea37fa8338
+                1ec90a6afa2f269d9da07c8f302161e26c9a4c21c2560ced811bdf6be402d36a
+                e2f11f884351241e779a22f8b69a8e3eeaa676e7150143a66b3a92d4dace9f4f
+                9b61e3f7e0aa7656c818ecfb53303457d51e74e7ec89cf038c9a73f3834383e8
+                22d2f50c3a7775aa0e63b127a214db7490e488f7ee91782a90de32f4ab22601a
+                f7b190fcc6a292e42e2f8b69caace994b127e9f91532b6d8c3b7ce08f991d269
+                220bceeed7d4e6151523e63e41bcd27154fd3a7f7370c04b1258715413ec5f17
+                f51baa99e8e5cd59ac7af17daecd0e8926002403ab87a422e422a6fb1186b5bb
+                7db25faffedad247fd741b2461aa3b9612342142af10decefe00c00b37a667ad
+                7665fbc4085b5312bda690166245a93b (AES256-CTR encrypted block) (bytes)
+</pre></td></tr></tbody></table></code></pre>
+</div>
+</div>
+<div class="admonitionblock note">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Note</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>The decrypted <strong>4.0.1.0</strong> should match the <a href="#struct_rsa_plain">plaintext key&#8217;s structure</a> for <strong>4.0.1.0</strong> through <strong>4.0.1.10</strong>. The padding length WILL change, however, between the two unless using a cipher with an 8-byte block size.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+<div class="paragraph">
+<p>When <strong>4.0.1.0</strong> is decrypted, it yields:</p>
+</div>
+<div class="listingblock">
+<div class="title">Decrypted <strong>4.0.1.0</strong></div>
+<div class="content">
+<pre class="rouge highlight"><code data-lang="text"><table class="linenotable"><tbody><tr><td class="linenos gl"><pre class="lineno"> 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
+24
+25
+26
+27
+28
+29
+30
+31
+32
+33
+34
+35
+36
+37
+38
+39
+40
+41
+42
+43
+44
+45
+46
+47
+48
+49
+50
+51
+52
+53
+54
+55
+56
+57
+58
+59
+60
+61
+62
+63
+64
+65
+66
+67
+68
+69
+70
+71
+72
+73
+</pre></td><td class="code"><pre>4.0.1.0 0d98bd61 (228113761)
+4.0.1.1 0d98bd61 (228113761)
+4.0.1.2 00000007 (7)
+    4.0.1.2.0 7373682d727361 ("ssh-rsa")
+4.0.1.3 00000201 (513)
+    4.0.1.3.0 00b7cec04601ce2a12f0c924cb9a30eb990066812cb14369193f30b2b9fdd4af
+              cb300c918f2a77d64410f3617ae7c8ca318c257d3c4df4e2c4108bbbe93a8689
+              4ba14b3575f2f72150bc381dcbfb742c7a196866fd3184ace96761adda0fc299
+              2f6c866d7569919fc22d9c4bf0de405a8c76d519aa2a5329dc6825777229a5d0
+              b753a7825a89b95275f9c025e215343c6c88cd6690a221f8ae9ef675ee464dc7
+              d118da410507ea5d6b6489dd60afd8a6646492db3e279f1a78240db8abbda6c5
+              0714c9636650a72081e7fa5d472c1428b07eae5d15b64ea1e2a7508512fe9ab6
+              55f86a313486d3cca1dd8e90acc5c9fba4d6e767507fbab9f3a7f68c748142af
+              2a3701d31a8a9b7511958aa77187ba702ed934d385afcee42380e95e0e7e9bc0
+              f4d23367fc770374167b7f0926fb6fdb6d05aad1cfd191824845b014e18153bf
+              0d1d3c3b1fadbb25a3f1d151f9b684633d8c1690fcd8cad05aac2aeb23dbf19a
+              37e480a008910319c116d47bd924b39942543b88a0f6127952b2d8e1290f3029
+              f542aebe9c0c8e36cf3296865cd6643c8924d566ebf4971809399a1ac096fe1e
+              dc3b5f871bf5ef0b4d44e0ea27620d205142e0bfcf677b4db025532121a3f074
+              5aa4d0586331733257855a5cecbe3ac4403d04ff0cc0c58b7c04904b402125c2
+              bc2a63a20ebb309cc6f3e65db301a058b8dace07e71b38f3f3595433f69b198f
+              07 (bytes)
+4.0.1.4 00000003 (3)
+    4.0.1.4.0 010001 (65537)
+4.0.1.5 00000200 (512)
+    4.0.1.5.0 499f2c705e04bfe17a4476d27e5e1ddfd8c335f63ac22f748754f02183440f6d
+              a93f3f86429261663e0bddfda69d4c2f705d0bbe7dd31a8941bf5672e29844a1
+              e0670970c6f2a98b76f85b26fafedb59c49786b8df7eaeeb86171fd579fe8df0
+              eadd2536a4244a0332d5a9ad3eb8340c930464153e82b4ffad4f647a7ba808e3
+              854450f806b60e0b670fc99cb6b58786497d4c199e7750ee5089934eef25f465
+              12394955c487e10744ebdb9a00951c8095b024d4ce75f1da3146b5b3447169f5
+              9e23d40685438bc7bcad1173927a389a0903ba111a46809d123b3432197cca8f
+              c0c27816fbf215c2b7c584b94f37c9ed8a8e815942effdcf54757268afe58fd7
+              00cdcf6a98a20950617b0624aa835d95e27d7afcdee70c397ca1b6aa04735e6d
+              5c5e01bfff2174cf562d36842624490e12ca8142595d52567494f38b2124012c
+              acacb2564e21c845eb94f5d6ebf6f39066e1fa04b318174e6f9994823ba4d9ef
+              2c28b37cb3ea05fa3cad7200898394276835523e4e416054f23db0eb732211d3
+              a11ea551390ae8d58d69e14664e0e20f2bf0ccd24d260b832a94144f5801ea7c
+              dbb2436f21ba2dbaecbcd573f24c5e0d43fd26b4ae6764e138ddaf4775ac0163
+              e45727c10027f716cbe3cc70fff73441bb2538e5426a1a5638b448a7bde96804
+              1ec2184ef67b0da60070297cd73deeefebd1951611c7a776c956e18e5f163a21 (bytes)
+4.0.1.6 00000100 (256)
+    4.0.1.6.0 0ae2e1cf2455a0d82272e6a42bbba83eb765496e5a33e13b8c94756d8c32f7d7
+              505fd997bdd5ec08c59bf8d1d659d1df02bec669ebb5aaaf5db1ec70ce2f2a6b
+              3a17b7b1fce3adc6203c2905cd652d7622065dd011ae33894467c6dca3643952
+              b0caedff9bc78ac40408074027566ee4c4751ad3ff452a2781af8b5c2c9bf09b
+              34ee5e6201330b4bc381af766798667c5b9ad0733c19f4ef475fd264655e0305
+              53f2f2f8de59c2aee74b9dd6720e3108143dfedd41cf4bc11de2b9a9f40faec7
+              2a52312abee4c6155acfee9384a16348c715346ebe693895fe6d2348d4dedb0a
+              137c487185ff949c209115b9c8a106329991f049e8430c7ba60dd5408d72ac98
+4.0.1.7 00000101 (257)
+    4.0.1.7.0 00e50b65ba6ae4cb29ae66129c3e41ffeba36cd6ecbaa7045ff90cea71d09bc0
+              56b0b9134dc5754c49da1fe8ab169cd149eedaeccf4913d915f4f241c5fd86c7
+              7511e0c261c344600a84cce78e8cf493e492844cb82c42ab6d1246a53e5cf50a
+              d4759c2a5c09d53b1c5c3b449328eea01434d6e537b3a513928dfaddf0a72728
+              23899b8d795220cb3344ab8d0e846e1e40ffdfb5c719262c2b527a890a51faab
+              cf10904699135f7b997487f4b48d4490ad80fc25b346fa0bb587f09295bf0f71
+              ac10a8086867d4bad00a0c27a6456f08e0c2bf8caed8768f0366a2440428180a
+              292617af61feabab9a7075b8bc21209a5439bbfe3613917071fee74a8d5d80fe
+              99
+4.0.1.8 00000101 (257)
+    4.0.1.8.0 00cd7077659fad983104bcc7dc526242b9ea52cea40e923df771ac2a28e377f2
+              b9231a58c2448c6b8d17fe83571ef6bdbbc11f3d4ab4254ea859684b8772911f
+              9c6f355479053e3e3d3a6ecce13a016908298ca3f8b628d2111749a3627628eb
+              05844f546795a5067d39b1d304e19cc6fc1be00a6164ea33e4abbc87f5683227
+              1d825c868c5ccda3775b037711e99436f96c53f3780b985084e1d84a458c687a
+              b0938a09bf6f9b3ffec41ed02fd5b27572c7d180039e405a559b62fc08f804b1
+              9f043dba4c6f7565b1c72759f4b932d4f93d4f41da91b1b146f29854a1008341
+              e4760bdd4987097ec4a6551ab96e099a04a38d6a893b533db185abb55736419e
+              9f (bytes)
+4.0.1.9 00000018 (24)
+    4.0.1.9.0 54686973206973206120636f6d6d656e7420737472696e67 ("This is a comment string")
+4.0.1.10 010203 ([1 2 3], 3 bytes)
+</pre></td></tr></tbody></table></code></pre>
+</div>
+</div>
+<div class="paragraph">
+<p>See the <a href="#struct_rsa_plain">plaintext structure</a> for details.</p>
+</div>
 </div>
 </div>
 </div>
 </div>
 <div class="sect2">
 <h3 id="ed25519"><a class="link" href="#ed25519">3.2. ED25519</a></h3>
-
+<div class="paragraph">
+<p>ED25519<sup class="footnote">[<a id="_footnoteref_4" class="footnote" href="#_footnotedef_4" title="View footnote.">4</a>]</sup> is a relatively somewhat new OpenSSH key algorithm. It has numerous benefits over e.g. RSA, including:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>fixed key sizes, so fixed pubkey sizes</p>
+<div class="ulist">
+<ul>
+<li>
+<p>and significantly shorter pubkeys, yet-</p>
+</li>
+</ul>
+</div>
+</li>
+<li>
+<p>strength comparable to RSA4096, but-</p>
+<div class="ulist">
+<ul>
+<li>
+<p>much faster</p>
+</li>
+</ul>
+</div>
+</li>
+<li>
+<p>public domain and <a href="https://ed25519.cr.yp.to/" target="_blank" rel="noopener">developed by independent researchers</a>; not tied to specific corporation (i.e. nothing like <a href="https://en.wikipedia.org/wiki/RSA_Security" target="_blank" rel="noopener">RSA</a>)</p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>I recommend it over all other key types for new SSH keys as long as it&#8217;s supported by clients/servers.</p>
+</div>
+<div class="sect3">
+<h4 id="public_2"><a class="link" href="#public_2">3.2.1. Public</a></h4>
+<div class="sect4">
+<h5 id="structure_2"><a class="link" href="#structure_2">3.2.1.1. Structure</a></h5>
+<div class="paragraph">
+<p>Public keys are stored in the following structure:</p>
+</div>
+<div class="listingblock">
+<div class="title">Key Structure</div>
+<div class="content">
+<pre class="rouge highlight"><code data-lang="text"><table class="linenotable"><tbody><tr><td class="linenos gl"><pre class="lineno">1
+2
+3
+4
+</pre></td><td class="code"><pre>0.0 uint32 allocator for 0.0.0 (4 bytes)
+	0.0.0 Public key key type string (ASCII bytes)
+1.0 uint32 allocator for 1.0.0 (4 bytes)
+	1.0.0 Public key payload (bytes)
+</pre></td></tr></tbody></table></code></pre>
+</div>
+</div>
+</div>
+<div class="sect4">
+<h5 id="example_2"><a class="link" href="#example_2">3.2.1.2. Example</a></h5>
+<div class="listingblock">
+<div class="title"><code>id_ed25519.pub</code> Format</div>
+<div class="content">
+<pre class="rouge highlight"><code data-lang="text"><table class="linenotable"><tbody><tr><td class="linenos gl"><pre class="lineno">1
+</pre></td><td class="code"><pre>ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQ4i8lzaE3WaFcTESK/8hLJg7umsWLE6XzRH3PDnZew This is a test key
+</pre></td></tr></tbody></table></code></pre>
+</div>
+</div>
+<div class="listingblock">
+<div class="title">Structure Reference (Hex) (Decoded Base64 component only; <code>AAA&#8230;&#8203;nZew</code>)</div>
+<div class="content">
+<pre class="rouge highlight"><code data-lang="text"><table class="linenotable"><tbody><tr><td class="linenos gl"><pre class="lineno">1
+2
+3
+4
+</pre></td><td class="code"><pre>0.0 0000000b (11)
+	0.0.0 7373682d65643235353139 ("ssh-ed25519")
+1.0 00000020 (32)
+	1.0.0 44388bc973684dd66857131122bff212c983bba6b162c4e97cd11f73c39d97b0 (bytes)
+</pre></td></tr></tbody></table></code></pre>
+</div>
+</div>
+</div>
+</div>
+<div class="sect3">
+<h4 id="private_2"><a class="link" href="#private_2">3.2.2. Private</a></h4>
+<div class="sect4">
+<h5 id="legacy_2"><a class="link" href="#legacy_2">3.2.2.1. Legacy</a></h5>
+<div class="admonitionblock note">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Note</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>ED25519 has no legacy format, as it was introduced <strong>after</strong> the introduction of the new key format.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+</div>
+<div class="sect4">
+<h5 id="v1_plain_2"><a class="link" href="#v1_plain_2">3.2.2.2. v1 (Plain)</a></h5>
+<div class="admonitionblock tip">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Tip</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>Since plaintext/unencrypted keys do not have a cipher or KDF (as there&#8217;s no encryption key or algorithm used), they use the string "none" to identify these (and entirely leave out the KDF options).</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+<div class="sect5">
+<h6 id="struct_ed25519_plain"><a class="link" href="#struct_ed25519_plain">3.2.2.2.1. Structure</a></h6>
+<div class="listingblock">
+<div class="content">
+<pre class="rouge highlight"><code data-lang="text"><table class="linenotable"><tbody><tr><td class="linenos gl"><pre class="lineno"> 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
+24
+</pre></td><td class="code"><pre>0.0 "openssh-key-v1" string plus terminating nullbyte (15 bytes)
+1.0 uint32 allocator for 1.0.0 (4 bytes)
+	1.0.0 cipher name string (ASCII bytes)
+2.0 uint32 allocator for 2.0.0 (4 bytes)
+	2.0.0 KDF name string (ASCII bytes)
+3.0 uint32 allocator for KDF options (3.0.0 to 3.0.1) (4 bytes) (ALWAYS 0 for unencrypted keys, so no following substructure)
+4.0 uint32 counter for # of keys (4 bytes)
+	4.0.0 uint32 allocator for public key #n (4.0.0.0 to 4.0.0.1) (4 bytes)
+		4.0.0.0 uint32 allocator for 4.0.0.0.0 (4 bytes)
+			4.0.0.0.0 public key #n keytype string (ASCII bytes)
+		4.0.0.1 uint32 allocator for 4.0.0.1.0 (4 bytes)
+			4.0.0.1.0 public key #n payload (bytes)
+	4.0.1 uint32 allocator for private key structure #n (4.0.1.0 to 4.0.1.5) (4 bytes)
+        4.0.1.0 uint32 decryption "checksum" #1 (should match 4.0.1.1) (4 bytes)
+        4.0.1.1 uint32 decryption "checksum" #2 (should match 4.0.1.0) (4 bytes)
+        4.0.1.2 Copy of 4.0.0.0; allocator for 4.0.1.2.0 (4 bytes)
+            4.0.1.2.0 Copy of 4.0.0.0.0 (ASCII bytes)
+        4.0.1.3 Copy of 4.0.0.1; allocator for 4.0.1.3.0 (4 bytes)
+            4.0.1.3.0 Copy of 4.0.0.1.0 (bytes)
+        4.0.1.4 uint32 allocator for 4.0.1.4.0 (4 bytes)
+            4.0.1.4.0 Private key #n (bytes)
+        4.0.1.5 uint32 allocator for 4.0.1.5.0 (4 bytes)
+            4.0.1.5.0 comment for key #n string (ASCII bytes)
+        4.0.1.6 sequential padding
+</pre></td></tr></tbody></table></code></pre>
+</div>
+</div>
+<div class="admonitionblock note">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Note</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p><strong>Chunk 3.0.0 to 3.0.1:</strong> These blocks are not present in unencrypted keys (see the <a href="#struct_ed25519_crypt">encrypted key structure</a> for what these look like). <strong>3.0</strong> reflects this, as it&#8217;s always going to be <code>00000000</code> (0).</p>
+</div>
+<div class="paragraph">
+<p><strong>Chunk 4.0:</strong> This is technically currently unused; upstream hardcodes to 1 (left zero-padded <code>0x01</code>).</p>
+</div>
+<div class="paragraph">
+<p><strong>Chunk 4.0.1.4.0:</strong> This is a 64-byte block for ED25519, but the second half of the private key (<code>[32:]</code>) is always the same as the public key.</p>
+</div>
+<div class="paragraph">
+<p><strong>Chunk 4.0.1.6:</strong> The padding used aligns the private key (<strong>4.0.1.0</strong> to <strong>4.0.1.5.0</strong>) to the cipher blocksize. For plaintext keys, a blocksize of 8 is used.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+</div>
+<div class="sect5">
+<h6 id="bytes_ed25519_plain"><a class="link" href="#bytes_ed25519_plain">3.2.2.2.2. Example</a></h6>
+<div class="listingblock">
+<div class="title"><code>id_ed25519</code> Format</div>
+<div class="content">
+<pre class="rouge highlight"><code data-lang="text"><table class="linenotable"><tbody><tr><td class="linenos gl"><pre class="lineno">1
+2
+3
+4
+5
+6
+7
+</pre></td><td class="code"><pre>-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACBEOIvJc2hN1mhXExEiv/ISyYO7prFixOl80R9zw52XsAAAAJjPbUqwz21K
+sAAAAAtzc2gtZWQyNTUxOQAAACBEOIvJc2hN1mhXExEiv/ISyYO7prFixOl80R9zw52XsA
+AAAEBqSF+KwoLTOqI6+TnpcaZY4ckcamLrBF8CvtJbNZflJ0Q4i8lzaE3WaFcTESK/8hLJ
+g7umsWLE6XzRH3PDnZewAAAAElRoaXMgaXMgYSB0ZXN0IGtleQECAw==
+-----END OPENSSH PRIVATE KEY-----
+</pre></td></tr></tbody></table></code></pre>
+</div>
+</div>
+<div class="listingblock">
+<div class="title">Structure Reference (Hex) (Decoded Base64)</div>
+<div class="content">
+<pre class="rouge highlight"><code data-lang="text"><table class="linenotable"><tbody><tr><td class="linenos gl"><pre class="lineno"> 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
+24
+25
+26
+27
+28
+29
+</pre></td><td class="code"><pre>0.0 6f70656e7373682d6b65792d763100 ("openssh-key-v1" + 0x00)
+1.0 00000004 (4)
+    1.0.0 6e6f6e65 ("none")
+2.0 00000004
+    2.0.0 6e6f6e65 ("none")
+3.0 00000000 (0)
+4.0 00000001 (1)
+    4.0.0 00000033 (51)
+        4.0.0.0 0000000b (11)
+            4.0.0.0.0 7373682d65643235353139 ("ssh-ed25519")
+        4.0.0.1 00000020 (32)
+            4.0.0.1.0 44388bc973684dd66857131122bff212
+                      c983bba6b162c4e97cd11f73c39d97b0 (bytes)
+    4.0.1 00000098 (141)
+        4.0.1.0 cf6d4ab0 (3480046256)
+        4.0.1.1 cf6d4ab0 (3480046256)
+        4.0.1.2 0000000b (11)
+            4.0.1.2.0 7373682d65643235353139 ("ssh-ed25519")
+        4.0.1.3 00000020 (32)
+            4.0.1.3.0 44388bc973684dd66857131122bff212
+                      c983bba6b162c4e97cd11f73c39d97b0 (bytes)
+        4.0.1.4 00000040 (64)
+            4.0.1.4.0 6a485f8ac282d33aa23af939e971a658
+                      e1c91c6a62eb045f02bed25b3597e527
+                      44388bc973684dd66857131122bff212
+                      c983bba6b162c4e97cd11f73c39d97b0 (bytes)
+        4.0.1.5 00000012 (18)
+            4.0.1.5.0 5468697320697320612074657374206b6579 ("This is a test key")
+        4.0.1.6 010203 ([1 2 3], 3 bytes)
+</pre></td></tr></tbody></table></code></pre>
+</div>
+</div>
+</div>
+</div>
+<div class="sect4">
+<h5 id="v1_encrypted_2"><a class="link" href="#v1_encrypted_2">3.2.2.3. v1 (Encrypted)</a></h5>
+<div class="admonitionblock tip">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Tip</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>Currently, the only supported KDF is <strong>bcrypt_pbkdf</strong> (<code>bcrypt</code>).</p>
+</div>
+<div class="paragraph">
+<p>See the following for more details:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p><a href="https://flak.tedunangst.com/post/new-openssh-key-format-and-bcrypt-pbkdf" class="bare">https://flak.tedunangst.com/post/new-openssh-key-format-and-bcrypt-pbkdf</a></p>
+</li>
+<li>
+<p><a href="http://www.tedunangst.com/flak/post/bcrypt-pbkdf" class="bare">http://www.tedunangst.com/flak/post/bcrypt-pbkdf</a></p>
+</li>
+<li>
+<p><a href="https://www.usenix.org/legacy/events/usenix99/provos/provos_html/node1.html" class="bare">https://www.usenix.org/legacy/events/usenix99/provos/provos_html/node1.html</a></p>
+</li>
+<li>
+<p><a href="https://datatracker.ietf.org/doc/html/rfc2898" class="bare">https://datatracker.ietf.org/doc/html/rfc2898</a></p>
+</li>
+</ul>
+</div>
+</td>
+</tr>
+</table>
+</div>
+<div class="admonitionblock tip">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Tip</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>You can get a list of supported ciphers (<strong>1.0.0</strong>) via <code>ssh -Q cipher</code> on most systems.
+Note that <strong>1.0.0</strong> has nothing to do with SSH connections themselves; it&#8217;s <strong>only</strong> for the encryption of <strong>4.0.1</strong>.</p>
+</div>
+<div class="paragraph">
+<p>This is likely going to be:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p><code>3des-cbc</code></p>
+</li>
+<li>
+<p><code>aes128-cbc</code></p>
+</li>
+<li>
+<p><code>aes192-cbc</code></p>
+</li>
+<li>
+<p><code>aes256-cbc</code></p>
+</li>
+<li>
+<p><code>rijndael-cbc@lysator.liu.se</code> <em>(may not be present on all systems)</em></p>
+</li>
+<li>
+<p><code>aes128-ctr</code></p>
+</li>
+<li>
+<p><code>aes192-ctr</code></p>
+</li>
+<li>
+<p><code>aes256-ctr</code></p>
+</li>
+<li>
+<p><code>aes128-gcm@openssh.com</code></p>
+</li>
+<li>
+<p><code>aes256-gcm@openssh.com</code></p>
+</li>
+<li>
+<p><code>chacha20-poly1305@openssh.com</code></p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>The author recommends using <code>aes256-ctr</code>. It is currently the upstream default.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+<div class="sect5">
+<h6 id="struct_ed25519_crypt"><a class="link" href="#struct_ed25519_crypt">3.2.2.3.1. Structure</a></h6>
+<div class="listingblock">
+<div class="content">
+<pre class="rouge highlight"><code data-lang="text"><table class="linenotable"><tbody><tr><td class="linenos gl"><pre class="lineno"> 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+10
+11
+12
+13
+14
+15
+16
+17
+</pre></td><td class="code"><pre>0.0 "openssh-key-v1" string plus terminating nullbyte (15 bytes)
+1.0 uint32 allocator for 1.0.0 (4 bytes)
+	1.0.0 cipher name string (ASCII bytes)
+2.0 uint32 allocator for 2.0.0 (4 bytes)
+	2.0.0 KDF name string (ASCII bytes)
+3.0 uint32 allocator for KDF options (3.0.0 to 3.0.1) (4 bytes)
+	3.0.0 uint32 allocator for 3.0.0.0 (4 bytes)
+		3.0.0.0 Salt/IV (bytes)
+	3.0.1 uint32 for number of rounds/"work factor" (4 bytes)
+4.0 uint32 counter for # of keys (4 bytes)
+	4.0.0 uint32 allocator for public key #n (4.0.0.0 to 4.0.0.1) (4 bytes)
+		4.0.0.0 uint32 allocator for 4.0.0.0.0 (4 bytes)
+			4.0.0.0.0 public key #n keytype string (ASCII bytes)
+		4.0.0.1 uint32 allocator for 4.0.0.1.0 (4 bytes)
+			4.0.0.1.0 public key #n payload (bytes)
+	4.0.1 uint32 allocator for encrypted private key structure blob #n (4.0.1.0) (4 bytes)
+		4.0.1.0 &lt;ENCRYPTED BLOB&gt;
+</pre></td></tr></tbody></table></code></pre>
+</div>
+</div>
+<div class="admonitionblock note">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Note</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p><strong>Chunk 4.0:</strong> This is technically currently unused; upstream hardcodes to 1 (left zero-padded <code>0x01</code>).</p>
+</div>
+<div class="paragraph">
+<p><strong>Chunk 4.0.1.0:</strong> When decrypted, this is equivalent to the <a href="#struct_ed25519_plain">plaintext</a> <strong>4.0.1.0</strong> to <strong>4.0.1.6</strong>. It uses a padded size appropriate to the encryption cipher used.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+</div>
+<div class="sect5">
+<h6 id="bytes_ed25519_crypt"><a class="link" href="#bytes_ed25519_crypt">3.2.2.3.2. Example</a></h6>
+<div class="paragraph">
+<p>The following example, being encrypted, is protected with a passphrase. The passphrase used in this example key is <strong><code>test</code></strong>.</p>
+</div>
+<div class="listingblock">
+<div class="title"><code>id_ed25519</code> Format</div>
+<div class="content">
+<pre class="rouge highlight"><code data-lang="text"><table class="linenotable"><tbody><tr><td class="linenos gl"><pre class="lineno">1
+2
+3
+4
+5
+6
+7
+8
+</pre></td><td class="code"><pre>-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBQEy9ykA
+1o4KMfnXW28KW8AAAAZAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIL+iAxqlRjET5A4W
+iWr1A8Upnq12sJy2OEb0HMTeF0D2AAAAoMSXd80NGn0323ehgUmRJ4+M6Z1XLixma5O5mG
+dCXGDaRlL924VVCYUytRvu7ilZ+dtc9aCQUFJyDF3iXyxN2H68x7teo9e8vqzGtzLkw5KV
+2Zkal+8/CDj4qb/UPts0AxiWSQiPbPt4lG+5FONYrGq8ZGkQcvXyeIU02dQtf0BrxQkLMN
+8jy33YxcuTjkH6zW446IRbgWC/+EBZgRjUR8I=
+-----END OPENSSH PRIVATE KEY-----
+</pre></td></tr></tbody></table></code></pre>
+</div>
+</div>
+<div class="listingblock">
+<div class="title">Structure Reference (Hex) (Decoded Base64)</div>
+<div class="content">
+<pre class="rouge highlight"><code data-lang="text"><table class="linenotable"><tbody><tr><td class="linenos gl"><pre class="lineno"> 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
+24
+25
+26
+27
+</pre></td><td class="code"><pre>0.0 6f70656e7373682d6b65792d763100 ("openssh-key-v1" + 0x00)
+1.0 0000000a (10)
+	1.0.0 6165733235362d637472 ("aes256-ctr")
+2.0 00000006 (6)
+	2.0.0 626372797074 ("bcrypt")
+3.0 00000018 (24)
+	3.0.0 00000010 (16)
+		3.0.0.0 50132f72900d68e0a31f9d75b6f0a5bc (bytes)
+	3.0.1 00000064 (100)
+4.0 00000001 (1)
+	4.0.0 00000033 (51)
+		4.0.0.0 0000000b (11)
+			4.0.0.0.0 7373682d65643235353139 ("ssh-ed25519")
+		4.0.0.1 00000020 (32)
+			4.0.0.1.0 bfa2031aa5463113e40e16896af503c5
+					  299ead76b09cb63846f41cc4de1740f6 (bytes)
+	4.0.1 000000a0 (160)
+		4.0.1.0 c49777cd0d1a7d37db77a1814991278f
+			    8ce99d572e2c666b93b99867425c60da
+			    4652fddb8555098532b51beeee2959f9
+			    db5cf5a0905052720c5de25f2c4dd87e
+			    bcc7bb5ea3d7bcbeacc6b732e4c39295
+			    d9991a97ef3f0838f8a9bfd43edb3403
+			    189649088f6cfb78946fb914e358ac6a
+			    bc64691072f5f2788534d9d42d7f406b
+			    c5090b30df23cb7dd8c5cb938e41facd
+			    6e38e8845b8160bff840598118d447c2 (AES256-CTR encrypted block) (bytes)
+</pre></td></tr></tbody></table></code></pre>
+</div>
+</div>
+<div class="admonitionblock note">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Note</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>The decrypted <strong>4.0.1.0</strong> should match the <a href="#struct_ed25519_plain">plaintext key&#8217;s structure</a> for <strong>4.0.1</strong> through <strong>4.0.1.6</strong>. The padding length WILL change, however, between the two unless using a cipher with an 8-byte block size.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+<div class="paragraph">
+<p>When <strong>4.0.1.0</strong> is decrypted, it yields:</p>
+</div>
+<div class="listingblock">
+<div class="title">Decrypted <strong>4.0.1.0</strong></div>
+<div class="content">
+<pre class="rouge highlight"><code data-lang="text"><table class="linenotable"><tbody><tr><td class="linenos gl"><pre class="lineno"> 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+10
+11
+12
+13
+14
+15
+</pre></td><td class="code"><pre>4.0.1.0 f890d89a (4170242202)
+4.0.1.1 f890d89a (4170242202)
+4.0.1.2 0000000b (11)
+    4.0.1.2.0 7373682d65643235353139 ("ssh-ed25519")
+4.0.1.3 00000020 (32)
+    4.0.1.3.0 bfa2031aa5463113e40e16896af503c5
+              299ead76b09cb63846f41cc4de1740f6 (bytes)
+4.0.1.4 00000040 (64)
+    4.0.1.4.0 ce6e2b8d638c9d5219dff455af1a90d0
+              a5b72694cfcedfb93bc1e1b1816dee98
+              bfa2031aa5463113e40e16896af503c5
+              299ead76b09cb63846f41cc4de1740f6 (bytes)
+4.0.1.5 00000012 (18)
+    4.0.1.5.0 5468697320697320612074657374206b6579 ("This is a test key")
+4.0.1.6 0102030405060708090a0b ([1 2 3 4 5 6 7 8 9 10 11], 11 bytes)
+</pre></td></tr></tbody></table></code></pre>
+</div>
+</div>
+<div class="paragraph">
+<p>See the <a href="#struct_ed25519_plain">plaintext structure</a> for details.</p>
+</div>
+</div>
+</div>
+</div>
 </div>
 </div>
 </div>
@@ -900,10 +2880,13 @@ pre.rouge {
 <div class="footnote" id="_footnotedef_3">
 <a href="#_footnoteref_3">3</a>. <a href="https://datatracker.ietf.org/doc/html/rfc8017" class="bare">https://datatracker.ietf.org/doc/html/rfc8017</a>
 </div>
+<div class="footnote" id="_footnotedef_4">
+<a href="#_footnoteref_4">4</a>. <a href="https://datatracker.ietf.org/doc/html/rfc8709" class="bare">https://datatracker.ietf.org/doc/html/rfc8709</a>
+</div>
 </div>
 <div id="footer">
 <div id="footer-text">
-Last updated 2022-03-06 02:56:10 -0500
+Last updated 2022-03-07 01:59:28 -0500
 </div>
 </div>
 </body>
diff --git a/_ref/ed25519/main.adoc b/_ref/ed25519/main.adoc
new file mode 100644
index 0000000..27113b6
--- /dev/null
+++ b/_ref/ed25519/main.adoc
@@ -0,0 +1,15 @@
+
+=== ED25519
+
+ED25519footnote:[https://datatracker.ietf.org/doc/html/rfc8709] is a relatively somewhat new OpenSSH key algorithm. It has numerous benefits over e.g. RSA, including:
+
+* fixed key sizes, so fixed pubkey sizes
+** and significantly shorter pubkeys, yet-
+* strength comparable to RSA4096, but-
+** much faster
+* public domain and https://ed25519.cr.yp.to/[developed by independent researchers^]; not tied to specific corporation (i.e. nothing like https://en.wikipedia.org/wiki/RSA_Security[RSA^])
+
+I recommend it over all other key types for new SSH keys as long as it's supported by clients/servers.
+
+include::public.adoc[]
+include::private/main.adoc[]
diff --git a/_ref/ed25519/private/legacy/main.adoc b/_ref/ed25519/private/legacy/main.adoc
new file mode 100644
index 0000000..5534d06
--- /dev/null
+++ b/_ref/ed25519/private/legacy/main.adoc
@@ -0,0 +1,7 @@
+
+===== Legacy
+
+[NOTE]
+====
+ED25519 has no legacy format, as it was introduced *after* the introduction of the new key format.
+====
diff --git a/_ref/ed25519/private/main.adoc b/_ref/ed25519/private/main.adoc
new file mode 100644
index 0000000..b6bff00
--- /dev/null
+++ b/_ref/ed25519/private/main.adoc
@@ -0,0 +1,5 @@
+
+==== Private
+
+include::legacy/main.adoc[]
+include::v1/main.adoc[]
diff --git a/_ref/ed25519/private/v1/encrypted.adoc b/_ref/ed25519/private/v1/encrypted.adoc
new file mode 100644
index 0000000..3902954
--- /dev/null
+++ b/_ref/ed25519/private/v1/encrypted.adoc
@@ -0,0 +1,146 @@
+
+===== v1 (Encrypted)
+
+[TIP]
+====
+Currently, the only supported KDF is *bcrypt_pbkdf* (`bcrypt`).
+
+See the following for more details:
+
+* https://flak.tedunangst.com/post/new-openssh-key-format-and-bcrypt-pbkdf
+* http://www.tedunangst.com/flak/post/bcrypt-pbkdf
+* https://www.usenix.org/legacy/events/usenix99/provos/provos_html/node1.html
+* https://datatracker.ietf.org/doc/html/rfc2898
+====
+
+[TIP]
+====
+You can get a list of supported ciphers (*1.0.0*) via `ssh -Q cipher` on most systems.
+Note that *1.0.0* has nothing to do with SSH connections themselves; it's *only* for the encryption of *4.0.1*.
+
+This is likely going to be:
+
+* `3des-cbc`
+* `aes128-cbc`
+* `aes192-cbc`
+* `aes256-cbc`
+* `rijndael-cbc@lysator.liu.se` _(may not be present on all systems)_
+* `aes128-ctr`
+* `aes192-ctr`
+* `aes256-ctr`
+* `aes128-gcm@openssh.com`
+* `aes256-gcm@openssh.com`
+* `chacha20-poly1305@openssh.com`
+
+The author recommends using `aes256-ctr`. It is currently the upstream default.
+====
+
+[id=struct_ed25519_crypt]
+====== Structure
+
+[source,text,linenums]
+----
+0.0 "openssh-key-v1" string plus terminating nullbyte (15 bytes)
+1.0 uint32 allocator for 1.0.0 (4 bytes)
+	1.0.0 cipher name string (ASCII bytes)
+2.0 uint32 allocator for 2.0.0 (4 bytes)
+	2.0.0 KDF name string (ASCII bytes)
+3.0 uint32 allocator for KDF options (3.0.0 to 3.0.1) (4 bytes)
+	3.0.0 uint32 allocator for 3.0.0.0 (4 bytes)
+		3.0.0.0 Salt/IV (bytes)
+	3.0.1 uint32 for number of rounds/"work factor" (4 bytes)
+4.0 uint32 counter for # of keys (4 bytes)
+	4.0.0 uint32 allocator for public key #n (4.0.0.0 to 4.0.0.1) (4 bytes)
+		4.0.0.0 uint32 allocator for 4.0.0.0.0 (4 bytes)
+			4.0.0.0.0 public key #n keytype string (ASCII bytes)
+		4.0.0.1 uint32 allocator for 4.0.0.1.0 (4 bytes)
+			4.0.0.1.0 public key #n payload (bytes)
+	4.0.1 uint32 allocator for encrypted private key structure blob #n (4.0.1.0) (4 bytes)
+		4.0.1.0 <ENCRYPTED BLOB>
+----
+
+[NOTE]
+====
+*Chunk 4.0:* This is technically currently unused; upstream hardcodes to 1 (left zero-padded `0x01`).
+
+*Chunk 4.0.1.0:* When decrypted, this is equivalent to the <<struct_ed25519_plain, plaintext>> *4.0.1.0* to *4.0.1.6*. It uses a padded size appropriate to the encryption cipher used.
+====
+
+[id=bytes_ed25519_crypt]
+====== Example
+
+The following example, being encrypted, is protected with a passphrase. The passphrase used in this example key is *`test`*.
+
+.`id_ed25519` Format
+[source,text,linenums]
+----
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBQEy9ykA
+1o4KMfnXW28KW8AAAAZAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIL+iAxqlRjET5A4W
+iWr1A8Upnq12sJy2OEb0HMTeF0D2AAAAoMSXd80NGn0323ehgUmRJ4+M6Z1XLixma5O5mG
+dCXGDaRlL924VVCYUytRvu7ilZ+dtc9aCQUFJyDF3iXyxN2H68x7teo9e8vqzGtzLkw5KV
+2Zkal+8/CDj4qb/UPts0AxiWSQiPbPt4lG+5FONYrGq8ZGkQcvXyeIU02dQtf0BrxQkLMN
+8jy33YxcuTjkH6zW446IRbgWC/+EBZgRjUR8I=
+-----END OPENSSH PRIVATE KEY-----
+----
+
+.Structure Reference (Hex) (Decoded Base64)
+[source,text,linenums]
+----
+0.0 6f70656e7373682d6b65792d763100 ("openssh-key-v1" + 0x00)
+1.0 0000000a (10)
+	1.0.0 6165733235362d637472 ("aes256-ctr")
+2.0 00000006 (6)
+	2.0.0 626372797074 ("bcrypt")
+3.0 00000018 (24)
+	3.0.0 00000010 (16)
+		3.0.0.0 50132f72900d68e0a31f9d75b6f0a5bc (bytes)
+	3.0.1 00000064 (100)
+4.0 00000001 (1)
+	4.0.0 00000033 (51)
+		4.0.0.0 0000000b (11)
+			4.0.0.0.0 7373682d65643235353139 ("ssh-ed25519")
+		4.0.0.1 00000020 (32)
+			4.0.0.1.0 bfa2031aa5463113e40e16896af503c5
+					  299ead76b09cb63846f41cc4de1740f6 (bytes)
+	4.0.1 000000a0 (160)
+		4.0.1.0 c49777cd0d1a7d37db77a1814991278f
+			    8ce99d572e2c666b93b99867425c60da
+			    4652fddb8555098532b51beeee2959f9
+			    db5cf5a0905052720c5de25f2c4dd87e
+			    bcc7bb5ea3d7bcbeacc6b732e4c39295
+			    d9991a97ef3f0838f8a9bfd43edb3403
+			    189649088f6cfb78946fb914e358ac6a
+			    bc64691072f5f2788534d9d42d7f406b
+			    c5090b30df23cb7dd8c5cb938e41facd
+			    6e38e8845b8160bff840598118d447c2 (AES256-CTR encrypted block) (bytes)
+----
+
+[NOTE]
+====
+The decrypted *4.0.1.0* should match the <<struct_ed25519_plain, plaintext key's structure>> for *4.0.1* through *4.0.1.6*. The padding length WILL change, however, between the two unless using a cipher with an 8-byte block size.
+====
+
+When *4.0.1.0* is decrypted, it yields:
+
+.Decrypted *4.0.1.0*
+[source,text,linenums]
+----
+4.0.1.0 f890d89a (4170242202)
+4.0.1.1 f890d89a (4170242202)
+4.0.1.2 0000000b (11)
+    4.0.1.2.0 7373682d65643235353139 ("ssh-ed25519")
+4.0.1.3 00000020 (32)
+    4.0.1.3.0 bfa2031aa5463113e40e16896af503c5
+              299ead76b09cb63846f41cc4de1740f6 (bytes)
+4.0.1.4 00000040 (64)
+    4.0.1.4.0 ce6e2b8d638c9d5219dff455af1a90d0
+              a5b72694cfcedfb93bc1e1b1816dee98
+              bfa2031aa5463113e40e16896af503c5
+              299ead76b09cb63846f41cc4de1740f6 (bytes)
+4.0.1.5 00000012 (18)
+    4.0.1.5.0 5468697320697320612074657374206b6579 ("This is a test key")
+4.0.1.6 0102030405060708090a0b ([1 2 3 4 5 6 7 8 9 10 11], 11 bytes)
+----
+
+See the <<struct_ed25519_plain, plaintext structure>> for details.
diff --git a/_ref/ed25519/private/v1/main.adoc b/_ref/ed25519/private/v1/main.adoc
new file mode 100644
index 0000000..5154324
--- /dev/null
+++ b/_ref/ed25519/private/v1/main.adoc
@@ -0,0 +1,3 @@
+
+include::plain.adoc[]
+include::encrypted.adoc[]
diff --git a/_ref/ed25519/private/v1/plain.adoc b/_ref/ed25519/private/v1/plain.adoc
new file mode 100644
index 0000000..e339845
--- /dev/null
+++ b/_ref/ed25519/private/v1/plain.adoc
@@ -0,0 +1,98 @@
+
+===== v1 (Plain)
+
+[TIP]
+====
+Since plaintext/unencrypted keys do not have a cipher or KDF (as there's no encryption key or algorithm used), they use the string "none" to identify these (and entirely leave out the KDF options).
+====
+
+[id=struct_ed25519_plain]
+====== Structure
+
+[source,text,linenums]
+----
+0.0 "openssh-key-v1" string plus terminating nullbyte (15 bytes)
+1.0 uint32 allocator for 1.0.0 (4 bytes)
+	1.0.0 cipher name string (ASCII bytes)
+2.0 uint32 allocator for 2.0.0 (4 bytes)
+	2.0.0 KDF name string (ASCII bytes)
+3.0 uint32 allocator for KDF options (3.0.0 to 3.0.1) (4 bytes) (ALWAYS 0 for unencrypted keys, so no following substructure)
+4.0 uint32 counter for # of keys (4 bytes)
+	4.0.0 uint32 allocator for public key #n (4.0.0.0 to 4.0.0.1) (4 bytes)
+		4.0.0.0 uint32 allocator for 4.0.0.0.0 (4 bytes)
+			4.0.0.0.0 public key #n keytype string (ASCII bytes)
+		4.0.0.1 uint32 allocator for 4.0.0.1.0 (4 bytes)
+			4.0.0.1.0 public key #n payload (bytes)
+	4.0.1 uint32 allocator for private key structure #n (4.0.1.0 to 4.0.1.5) (4 bytes)
+        4.0.1.0 uint32 decryption "checksum" #1 (should match 4.0.1.1) (4 bytes)
+        4.0.1.1 uint32 decryption "checksum" #2 (should match 4.0.1.0) (4 bytes)
+        4.0.1.2 Copy of 4.0.0.0; allocator for 4.0.1.2.0 (4 bytes)
+            4.0.1.2.0 Copy of 4.0.0.0.0 (ASCII bytes)
+        4.0.1.3 Copy of 4.0.0.1; allocator for 4.0.1.3.0 (4 bytes)
+            4.0.1.3.0 Copy of 4.0.0.1.0 (bytes)
+        4.0.1.4 uint32 allocator for 4.0.1.4.0 (4 bytes)
+            4.0.1.4.0 Private key #n (bytes)
+        4.0.1.5 uint32 allocator for 4.0.1.5.0 (4 bytes)
+            4.0.1.5.0 comment for key #n string (ASCII bytes)
+        4.0.1.6 sequential padding
+----
+
+[NOTE]
+====
+*Chunk 3.0.0 to 3.0.1:* These blocks are not present in unencrypted keys (see the <<struct_ed25519_crypt, encrypted key structure>> for what these look like). *3.0* reflects this, as it's always going to be `00000000` (0).
+
+*Chunk 4.0:* This is technically currently unused; upstream hardcodes to 1 (left zero-padded `0x01`).
+
+*Chunk 4.0.1.4.0:* This is a 64-byte block for ED25519, but the second half of the private key (`[32:]`) is always the same as the public key.
+
+*Chunk 4.0.1.6:* The padding used aligns the private key (*4.0.1.0* to *4.0.1.5.0*) to the cipher blocksize. For plaintext keys, a blocksize of 8 is used.
+====
+
+[id=bytes_ed25519_plain]
+====== Example
+
+.`id_ed25519` Format
+[source,text,linenums]
+----
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACBEOIvJc2hN1mhXExEiv/ISyYO7prFixOl80R9zw52XsAAAAJjPbUqwz21K
+sAAAAAtzc2gtZWQyNTUxOQAAACBEOIvJc2hN1mhXExEiv/ISyYO7prFixOl80R9zw52XsA
+AAAEBqSF+KwoLTOqI6+TnpcaZY4ckcamLrBF8CvtJbNZflJ0Q4i8lzaE3WaFcTESK/8hLJ
+g7umsWLE6XzRH3PDnZewAAAAElRoaXMgaXMgYSB0ZXN0IGtleQECAw==
+-----END OPENSSH PRIVATE KEY-----
+----
+
+.Structure Reference (Hex) (Decoded Base64)
+[source,text,linenums]
+----
+0.0 6f70656e7373682d6b65792d763100 ("openssh-key-v1" + 0x00)
+1.0 00000004 (4)
+    1.0.0 6e6f6e65 ("none")
+2.0 00000004
+    2.0.0 6e6f6e65 ("none")
+3.0 00000000 (0)
+4.0 00000001 (1)
+    4.0.0 00000033 (51)
+        4.0.0.0 0000000b (11)
+            4.0.0.0.0 7373682d65643235353139 ("ssh-ed25519")
+        4.0.0.1 00000020 (32)
+            4.0.0.1.0 44388bc973684dd66857131122bff212
+                      c983bba6b162c4e97cd11f73c39d97b0 (bytes)
+    4.0.1 00000098 (141)
+        4.0.1.0 cf6d4ab0 (3480046256)
+        4.0.1.1 cf6d4ab0 (3480046256)
+        4.0.1.2 0000000b (11)
+            4.0.1.2.0 7373682d65643235353139 ("ssh-ed25519")
+        4.0.1.3 00000020 (32)
+            4.0.1.3.0 44388bc973684dd66857131122bff212
+                      c983bba6b162c4e97cd11f73c39d97b0 (bytes)
+        4.0.1.4 00000040 (64)
+            4.0.1.4.0 6a485f8ac282d33aa23af939e971a658
+                      e1c91c6a62eb045f02bed25b3597e527
+                      44388bc973684dd66857131122bff212
+                      c983bba6b162c4e97cd11f73c39d97b0 (bytes)
+        4.0.1.5 00000012 (18)
+            4.0.1.5.0 5468697320697320612074657374206b6579 ("This is a test key")
+        4.0.1.6 010203 ([1 2 3], 3 bytes)
+----
diff --git a/_ref/ed25519/public.adoc b/_ref/ed25519/public.adoc
new file mode 100644
index 0000000..630835f
--- /dev/null
+++ b/_ref/ed25519/public.adoc
@@ -0,0 +1,30 @@
+
+==== Public
+===== Structure
+Public keys are stored in the following structure:
+
+.Key Structure
+[source,text,linenums]
+----
+0.0 uint32 allocator for 0.0.0 (4 bytes)
+	0.0.0 Public key key type string (ASCII bytes)
+1.0 uint32 allocator for 1.0.0 (4 bytes)
+	1.0.0 Public key payload (bytes)
+----
+
+===== Example
+
+.`id_ed25519.pub` Format
+[source,text,linenums]
+----
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQ4i8lzaE3WaFcTESK/8hLJg7umsWLE6XzRH3PDnZew This is a test key
+----
+
+.Structure Reference (Hex) (Decoded Base64 component only; `AAA...nZew`)
+[source,text,linenums]
+----
+0.0 0000000b (11)
+	0.0.0 7373682d65643235353139 ("ssh-ed25519")
+1.0 00000020 (32)
+	1.0.0 44388bc973684dd66857131122bff212c983bba6b162c4e97cd11f73c39d97b0 (bytes)
+----
diff --git a/_ref/rsa/main.adoc b/_ref/rsa/main.adoc
index aef0740..76cdd3c 100644
--- a/_ref/rsa/main.adoc
+++ b/_ref/rsa/main.adoc
@@ -2,7 +2,9 @@
 
 RSAfootnote:[https://datatracker.ietf.org/doc/html/rfc8017] is a widely-supported PKI system. It is ubiquitous, but it is recommended to use newer systems (e.g. ED25519) for OpenSSH if all clients and destinations support it.
 
-The key structures have references to the RSA notations in single quotes. You can find these enumerated in https://datatracker.ietf.org/doc/html/rfc8017#section-2[RFC 8017 § 2]. See also the https://en.wikipedia.org/wiki/RSA_(cryptosystem)#Key_generation[Wikipedia article^].
+The key structures have references to the RSA notations in single quotes. You can find these enumerated in https://datatracker.ietf.org/doc/html/rfc8017#section-2[RFC 8017 § 2] or https://datatracker.ietf.org/doc/html/rfc8017#section-3.2[RFC 8017 § 3.2^]. See also the https://en.wikipedia.org/wiki/RSA_(cryptosystem)#Key_generation[Wikipedia article^].
+
+It is *highly* recommended to use 4096-bit RSA if using RSA keys.
 
 include::public.adoc[]
-include::private/main.adoc[]
\ No newline at end of file
+include::private/main.adoc[]
diff --git a/_ref/rsa/private/legacy/encrypted.adoc b/_ref/rsa/private/legacy/encrypted.adoc
index 6921cea..8cd6fcf 100644
--- a/_ref/rsa/private/legacy/encrypted.adoc
+++ b/_ref/rsa/private/legacy/encrypted.adoc
@@ -1,2 +1,76 @@
 
-TODO
+===== Legacy (Encrypted)
+
+[id=struct_rsa_crypt_legacy]
+====== Structure
+Legacy private keys are encoded in standard RSA PEM format (https://datatracker.ietf.org/doc/html/rfc7468[RFC 7468^] § https://datatracker.ietf.org/doc/html/rfc7468#section-11[11^], https://datatracker.ietf.org/doc/html/rfc3447#appendix-A[APPENDIX-A^]).
+
+The `Proc-Type` field is defined in https://datatracker.ietf.org/doc/html/rfc1421.html#section-4.6.1.1[RFC 1421 § 4.6.1.1^]. +
+The `DEK-Info` field is defined in https://datatracker.ietf.org/doc/html/rfc1421.html#section-4.6.1.3[RFC 1421 § 4.6.1.3^].
+
+[id=bytes_rsa_crypt_legacy]
+====== Example
+
+The following example, being encrypted, is protected with a passphrase. The passphrase used in this example key is *`testpassword`*.
+
+As shown by the header's fields, it is encrypted using _AES128-CBC_ with the IV of `822FAE7B2F5921CBD9143EDE93B22DFA`.
+
+[source,text,linenums]
+----
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,822FAE7B2F5921CBD9143EDE93B22DFA
+
+2vAiqYbBxVV+2LszZQ4ybpMIopqtL+mT6PZ/DNJWD9t7wUUynXS6fMBA45CRrsRI
+VTtb1m+ZBo80WaY7PvbYUuX7BS4lWoJ9VFRwtVVPgN4CBOP8ILgQFvywY+yKZW/j
+IB9m29XHN4GVxMZctsgUXfiff49juI4P0uVTRxwJ44HtqBFIYyRtQhhK4pcC7KlD
+J4X7Fl4J6KRWXBktmZGy6wTLXcfekMwUAbgPuvswhsovjXbTjh0eJVMQbqyFg4N/
+hKEkeOznyVuZbAFnNB5johN/HlpoifGcmNh169FsZzuwMuDUOg//JmH2HgwYLCpy
+JQgnsd6AqtlbZkTsoI4Mky0+a8A5y9iMl6Qw1AESt1ISb2k+iKtqXq0EkSzheB6a
+aMtcSp7iIP5SKoV81Hl0L9Mnr8Ni/4HDNKLxi7msixN2v69ctB/m45bL3PMErVcm
+7knY6Ps8jha/zGKVEQlEkCa7S/P5snb/MyMualc3PN/sAvWfcxLUi97pPU0HUZCX
+RS1HR2Fc+FqfMAX+B+Zfr/cmlTSirrPQr387CDospv6UyzGgf6O5ZmGTp47T91mc
+i/4GRHFUQ39nM9sD79fofk3Gdo/manhL1mFvti8Vy2jRXbwXuWhZNTy9J+gRkjR2
+X1NfRDaZlWfcDgUplqqZEbPFElRL8w00PTA4ZOWAt1a5jtQaNXh7JvnlC3oWDSW7
+RgAyAfvvUjigslfobMmMAbQt6gPcCHjnGMst11Xqcvw0c/+8sXVb5LOzAupOlb9B
+lhPvgAuhr0k5azseCD0Y1uyahh5rcIcaN08KaLI1t/nWUYwvSfGx1ej14q1F/Y+Q
+eDmS1695jWngX+FF1GdDzPRWYQhjeBl4V1dV+aTxLamWS8Oz4jk0pkzTwdl1yKDB
+I60t6uhFpummMbKIqvFtOkpqdLjGXZ8bSVbgHu7uPyycJ+PZCgpn/fYxqJNvIhsO
+x4QzKz1p6cFg0hxYKAcKqgIZUbmEu0MRr/VHDaR5K8AlSlVNz8ur62O4YEOslUFC
+Tv8d0LBd80OyrhpoJhK7fplVbFx2jkmVkLSjbwTPWz7HxLO3u/fQ1+higQHbAGqg
+75i4gpQVUDQE4KwPXjsjwhU1jrYyk2snnwmRa6yfYd61CI1lGJOycgm1tS90NNKA
+/sZmBG2u/t+UFDX+cBIkdA6B4CwRaPmvo27jv1Mk3u4N/zp+FR9IUxCnc8Z3Fo7F
+IKZAAEhtZniXG0t82aIXHdw7bQtH9eZsP/Il9ozaNW5Oky51AH/SCZT24vnOyc/U
+RQPP8g+59bjeriG/QAZ/Ezv6TilW06i/0xOo9i8ZyJdtPLuQ9q9ijNydCCqB/yE/
+Q/VTYQxHV1GBmpb89p//VpeqKmyTFISGK3r+nTHelVLgy8zDLWSSRkDQEu2n+7ou
+RwRli6ZrqsMBqhsBPcD/SzerRaq3AkstQ21C1fDpnBoXdRzx52wQcd3mKmspRLgc
+w/V2zaJqzjKaqfqNaT3xBTns0BGUBMCzaE+YtSHe2+NiHnxioU8H2wQz0CM2rjJE
+LBjfw4raTwrOSOufo7JqjMr5JrUeTy8Gqv1Wq8YrqmsPPrXmhhasxYrV/aqN96/m
+UZgWVjD0G3NOHDcQ+yPQrjodPEbokeLb1y+Hw8os53sirWwKkUnPKK1tpZtsmCjR
+wJTcaZVhGVdgWvxZnBGGvkDdxJBGisFc+IgnEWjgVxLiHkeXoyskgdB9zwYzNgJl
+B0NuxgGnLpcNpTz11tPAvpJYHIFTgW/cjMfGh47hfJxCAyEa4qdlwk6YbvUHDEml
+qzFMP70LbS18ck6SiP1ITVgxznT4CwuWXUdXTI1T1F9AY9u0Y5NPlB5SN7e/1Pq4
+1sf9NhUjgIVrxXoILUXDVreEcZj8B2zQOS4HcbQnQlUZuIbVKgot7UnHtTmALEu7
+YIYqKKr0GZCBpNi+qkBQd0RFsMNV6241X+BIwnHSIKBJ08PJ4O6H0RxK6KSshZV3
+bZGJcDrARHd/VbEmUE3pJbbesgwrOBvY9mh1iGHfYyoCabagdgEbXAqgAGKihvQ7
+l4J28BI4rbCU23U5BtBEGhHwhFC9tvkwx8/ImbzIwKqRXRN1fJys0ReYONWkOv7J
+OBU3kvjhKUivcbAG6guz6hwP9I+450dE2Q4V54LabeQSZ3rfBk+SCXR6w6aX5us9
+ydLVqtUxvhyqP5/61seNWwDmvdB8A9DFKHuxPqhVKxhumfoe0T+zkOUmuVRLafIv
+AGCxIVQBm1DEnuG/c6cMlgzw9qITrMgJAzqpyQDBslAxfa45+ViPHYFIpPhd+iGg
+aaj6q9Clkl3tLoZvZ1D827zMfpq1Kaog9VsxQSiaAmpC5e/N+QaPunPIZTyDtaPj
+5H7uCm27yHGG5z8yehmlDcPc2I1TjN24Dfzxi6AaiEZ/BAaUv8pTs3r4n2BAtzPm
+u0zE1vw5UsZ59QmsHRgBO6z8IYA+HhNt+sd0krYfuJ1MUiSH03uhYAiGFoqHngAN
+7w18EcsJPFUL1NTMy4dK6SaZFxIvPItbzf49Bwc03ruUt7Zy95Odz7UsjyD4msSE
+q8/DAtzFPgztBlNieUH4N0w5Qu4x3hSx3/xgp9e+7njQo7mE+yySh7NPV27HaFKz
+htsnuMaOzVMis9WLOq6egrsEaJ6BM3WRSPBa8ZjHdWYeVQ6WFLs2v7wX/j19Q9GZ
+bdWkI1wBHcyz4MLUeJESFt3uqrHeNTLm5BWaGCeqtHeeHhoAquAJdjceLcDW7Le4
+tkQj3FxLFUCKlZt9H/gyDKwDhHShONFDWPbItKHrHlmSftsOiWNt7X9r9MEaxyWh
+KIJcTV2JsrhDHcNHUDniSi0qYhVsAkLSng6xxy/A4bQIz0Jhp42+Sk0aJVj+DaBa
+5K0ctJ1f/YoQv7SjOJAMEvoGLCVPFLFbWQpDhtvfpgB7g9/qpJKL5/ixDDgfRf58
+NN9CdVs/JPpuZiSmR86gAgHrDblaBcIOtUoKBPfZweiJKowN2li934JZRs2xuamv
+HQEqEb9jJPj+eDv9FlCgCzBTdkiaLuuqU9agB6Ji8NMFDedj7rErkCUZ8tE9wqfY
+ftSfkGNUzTzPFbF5iEukTvKm42a7F/I/ExMVgpN/eQxJ7+m5TOgja0KC1h5fCN4L
+-----END RSA PRIVATE KEY-----
+----
+
+See the <<bytes_rsa_plain_legacy, plaintext example>> for the decrypted (non-password-protected) version of this key.
diff --git a/_ref/rsa/private/legacy/main.adoc b/_ref/rsa/private/legacy/main.adoc
index 36a4887..5154324 100644
--- a/_ref/rsa/private/legacy/main.adoc
+++ b/_ref/rsa/private/legacy/main.adoc
@@ -1,2 +1,3 @@
+
 include::plain.adoc[]
 include::encrypted.adoc[]
diff --git a/_ref/rsa/private/legacy/plain.adoc b/_ref/rsa/private/legacy/plain.adoc
index 6921cea..c204642 100644
--- a/_ref/rsa/private/legacy/plain.adoc
+++ b/_ref/rsa/private/legacy/plain.adoc
@@ -1,2 +1,65 @@
 
-TODO
+===== Legacy (Plain)
+
+[id=struct_rsa_plain_legacy]
+====== Structure
+
+Legacy private keys are encoded in standard RSA PEM format (https://datatracker.ietf.org/doc/html/rfc7468[RFC 7468^] § https://datatracker.ietf.org/doc/html/rfc7468#section-10[10^], https://datatracker.ietf.org/doc/html/rfc3447#appendix-A[APPENDIX-A^]).
+
+[id=bytes_rsa_plain_legacy]
+====== Example
+
+[source,text,linenums]
+----
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKAIBAAKCAgEA0cey1didD//oq66foKO2IUqFAl0+EF9nMiDfu4LTM4SSoajP
+Q02jewKP/GW9M7eFcDNf3UC5BUNkWym7uNzT6JlkKREZpe6AFsl4hNIfN+uoZSXA
+5vUsqCW29+6lNALMwAHS835cMZPg2IIPQW21nudsMUH0+U4npwfc5jRButoxYnOT
+LwbpTsDE8L1SXQdNojdfBQ/Ftk+mMr2E+boFv38lQMksfvY9nNhp5JKklyrmQtGv
+2M1ChJXHKMCkspKpuIvM6ORIp5FMLmLpe1HR5HpxVFKGjCQaRhtwRnUrY69LhyEc
+XtTt2O6OuiwFZbMcOTVSkGJUZ3qDKvRT9V4LA1WAvIKIqwkwNPoGdv8lVBgNL17c
+32GTtb3eGg3zYl9pJu1bsofnm8KGrKGYG0qBWjSdKcpGLRvbPj3d0m0YPk1smCid
+XnGCyzrG3gpMy0DS5SAyUl585rmfx/HJFtfSbhQTOR3lT1AMYRNNDej+pWX9ZAQC
+82mnIdRLIXQL60BPLX/xRjHWva+0s3arfNhB1F0gxJWdMwCU7Fsd7M0m4bL519pt
+t+fwnGgoEjOGDaiPzfARfi/IZ90npNmAS9WoDt94/uQdbGWXA9naww41z2IcuY5V
+uPqeJkyqflA49GnYyiJz273fh3EnDqdudBTqAMZnUsRW/nJoNi64GldfXv0CAwEA
+AQKCAgAldEcswRkBw0oSZQIhFzmsZfarfmRXXgE5xP7NJsV4nEHl1RL0TEdU7hcx
+FCUct7Z+Wt3Rzf16wBaJ5ECc9+hpzgFBB8mRg6yg5OW8qRtjy5JsRLpVQg7wEpPB
+Xn1mdN2Dpo+4Y6YoP+PUJBx/LQxRS7ZYcRNA88BGpTO+cjQOHWjV0BbGPbCoG+jN
+pq+u5l/pB4PSjodZTo043/d+8sSV9Sh8ka59GI/VkhoN8lSqnMExyuhfh/5JV8iQ
+MRz2uRLOXT9/kUqbiGiWm5heKTSVW3sid/2HxeZfAAUiv0a47JJKlRHQqKmyop0f
+Bj8Mclcmq6uLFdNGCmyi3a6jz1+drKPovO8H9ZTKx7sujxbR1lIC1BPfzFQ1LzjT
+A+n1Yp0gR9LA83TnzysGiYpl2MJYijbB8FPbXdJOMBNO63Jrr0DrF0VdI6Vf9GbA
+HAmz+IbPD+ZTZNktzpv1MmTE+4W/7E/i22KwpJy+/6RYpkDCu3vTKS4L46BQsN4W
+Gm2EL+kdzzmyCog3Vi6b0JRNd0dlKdZQKBanGtm4m3vx6PGhQFt0OZYu/QxDlLuK
+YhlKDIpBdZTTL/PIk4xx89X826fm2DT3ZSK652YCiU35nO1VqU+hKl4gA1dhp4DN
+/wg4LGFtwVhcwr1NyAC+nsFVTYU9Wszl+qpMOK/kKy7WH1K8rQKCAQEA/wXLJPeL
+e3QG0E7TlMmOxq2yUFhu7WMybmhW5z3su9jHNxZ2qEP7Vzer4LiQNmnJiNKFQ8El
+fjywSHINW1+OJXs3M6W3vQLw03XfYt69X2kC9uhooo0/xj8++YhVL4pmI9K7uI0Y
+IkFI2I9rsV6rb7tiKdeFW9NK9AoGp5StSwrVWvgPLwWl4ipVvZhDcRK2VsD8DqNU
+5QwX5l+wnFlR77XIi7c73UwbEictp7ZGwpDDVT7EBJRhruaybRoIGKHX4etJXPGz
+J2L/YQII4H44e7L00qTvfpxNHcdaqqIdZ/Rn3hKqoQBa1lZJf3WjDq70lq26aJwC
+h34COSjbwKM/HwKCAQEA0pWEU54DE4ybznDxUZsLgD1xPYpqMTKO6yAJijwMobFv
+Py9nc25vK0u6RT1It7eIse7TilpUZPB9PDV3sL+kgH5mW1OpvvfMtmncAM68KM7R
+XXBCcpCp0ke1DBNZtNLXFR8OSoJ2Vd2+XbeF7+uRHW4UCHtZttWPke8rokVCFXGN
+JgM6ubF7QPNcZ/gSclhZORP5e4QR1tFppA3dN/ehLaU7Md45oqYRE9y5oONEdnQA
+9b5t1vMqL3TgIHuD6m1nlITmmWSQIWm7BObAz1WmBpyluz8kVeLj8yu+My6VnxNl
+0P1yEVck9mMlNqzgA6i0ilcPMJoU0M+2Fzr72yFKYwKCAQAPro2FYmuDVektWguM
+tLBA62Fxq1523oi1XVkqsxYhnvzxGEKHqlaEUHoTQYYssmigL0HenrvtfVHhwpGr
+sr6M83y7gk9AIjQo7LCl5ciDW3PBNx1oEYOAb1cyBP4oBDyvqz+744E+agFOv9MB
+fy7Pmhg5NnWO5flP9GXgXDYjzTC9fU+BtrkypSPMmtZa16m6v/c/9y87Pnkhw3Sa
+yKtPMEB6xvO5cfqgLSSTkZPcVwaL8WYgWfd/x9Pk/ZrN2PXrgIpsWriHjYDiuDtP
+grN6d9CyO0423OmpER80Ku/f+pmAgGlZqSns0DWIzvUN7BhCQ8CYui81obwFQ8vv
+lppFAoIBAD5UbxRo4rQ4nC1glKz43VCZ3xi+DWx+cHr7wpcd6wc5A5qKJ26tM053
+Xaz81Lc8JcO00vxSfERcQlU95i10q/Y0c4t4mfeiVP9xGeNLTboubR3hCmnqk7lf
+7CCk4Zp6BZuE07AOKYSE28HVflljOlKhsGBKUmWhlJs3VYz0Pvkl4QdtUUaBV+AD
+qEhFzv/1UoNofCGpF7ajyUb7q4zTSOu/ymOaSSjxSoC8hl0up6b/8wDJ2q0S0Fu3
+lldG9+a9dzkolTC16UtahjaPLmawDTJLz2o66EBbpejl+6gek76/+RUAz3B+gLxE
+4FDsnmm216lS13YlRSABOv5pQP69Pc0CggEBAI8eT3npJUQX31Gej0KvN4h0Sq0t
+eYtLF5+uEoDr+DTD0MHv6Cta0QpBKzvOljDtxqNTu8oiNkkhch4daXMOD/qfdk9y
+C+befW1llA6ni6qNF5SlJWVZoyJgasAotzdK7bAIHmJ2BVc1NH5RWYipEWrcfwGA
+JSpC9D6V5wxP0GQa3hl0X7w/2pFNfv7jZ3VeYP91xbn01r4hUdyR2ryOBd817t/N
+aLB3RLkJazg7EKadnM5elAwFZ7PKWjnAyIYH6BoUbs3YonySFPpp9Z5SxidrRpb+
+Zb7jkiz4m88ol7ezdWZyHhVMZqy4bWMCI4moTDcpqJuox6JTQiO2Ajj2pFU=
+-----END RSA PRIVATE KEY-----
+----
diff --git a/_ref/rsa/private/main.adoc b/_ref/rsa/private/main.adoc
index ea6179f..08c356c 100644
--- a/_ref/rsa/private/main.adoc
+++ b/_ref/rsa/private/main.adoc
@@ -1,5 +1,4 @@
 ==== Private
-===== Legacy
-include::legacy/plain.adoc[]
-include::legacy/encrypted.adoc[]
-===== v1
+
+include::legacy/main.adoc[]
+include::v1/main.adoc[]
diff --git a/_ref/rsa/private/v1/encrypted.adoc b/_ref/rsa/private/v1/encrypted.adoc
index 6921cea..e37dd78 100644
--- a/_ref/rsa/private/v1/encrypted.adoc
+++ b/_ref/rsa/private/v1/encrypted.adoc
@@ -1,2 +1,315 @@
 
-TODO
+===== v1 (Encrypted)
+
+[TIP]
+====
+Currently, the only supported KDF is *bcrypt_pbkdf* (`bcrypt`).
+
+See the following for more details:
+
+* https://flak.tedunangst.com/post/new-openssh-key-format-and-bcrypt-pbkdf
+* http://www.tedunangst.com/flak/post/bcrypt-pbkdf
+* https://www.usenix.org/legacy/events/usenix99/provos/provos_html/node1.html
+* https://datatracker.ietf.org/doc/html/rfc2898
+====
+
+[TIP]
+====
+You can get a list of supported ciphers (*1.0.0*) via `ssh -Q cipher` on most systems.
+Note that *1.0.0* has nothing to do with SSH connections themselves; it's *only* for the encryption of *4.0.1*.
+
+This is likely going to be:
+
+* `3des-cbc`
+* `aes128-cbc`
+* `aes192-cbc`
+* `aes256-cbc`
+* `rijndael-cbc@lysator.liu.se` _(may not be present on all systems)_
+* `aes128-ctr`
+* `aes192-ctr`
+* `aes256-ctr`
+* `aes128-gcm@openssh.com`
+* `aes256-gcm@openssh.com`
+* `chacha20-poly1305@openssh.com`
+
+The author recommends using `aes256-ctr`. It is currently the upstream default.
+====
+
+[id=struct_rsa_crypt]
+====== Structure
+
+[source,text,linenums]
+----
+
+0.0 "openssh-key-v1" string plus terminating nullbyte (15 bytes)
+1.0 uint32 allocator for 1.0.0 (4 bytes)
+	1.0.0 cipher name string (ASCII bytes)
+2.0 uint32 allocator for 2.0.0
+	2.0.0 KDF name string (ASCII bytes)
+3.0 uint32 allocator for KDF options (3.0.0 to 3.0.1) (4 bytes)
+    3.0.0 uint32 allocator for 3.0.0.0 (4 bytes)
+        3.0.0.0 Salt/IV (bytes)
+    3.0.1 uint32 for number of rounds/"work factor" (4 bytes)
+4.0 uint32 counter for # of keys (4 bytes)
+	4.0.0 uint32 allocator for public key #n (4.0.0.0 to 4.0.0.1) (4 bytes)
+		4.0.0.0 uint32 allocator for 4.0.0.0.0 (4 bytes)
+			4.0.0.0.0 public key #n keytype string (ASCII bytes)
+		4.0.0.1 uint32 allocator for 4.0.0.1.0 (4 bytes)
+			4.0.0.1.0 public exponent ('e')
+		4.0.0.2 uint32 allocator for 4.0.0.2.0 (4 bytes)
+			4.0.0.2.0 modulus ('n')
+	4.0.1 uint32 allocator for encrypted private key structure blob #n (4.0.1.0) (4 bytes)
+		4.0.1.0 <ENCRYPTED BLOB>
+----
+
+[NOTE]
+====
+*Chunk 4.0:* This is technically currently unused; upstream hardcodes to 1 (left zero-padded 0x01).
+
+*Chunk 4.0.1.0:* When decrypted, this is equivalent to the <<struct_rsa_plain,plaintext>> *4.0.1.0* to *4.0.1.6*. It uses a padded size appropriate to the encryption cipher used.
+====
+
+[id=bytes_rsa_crypt]
+====== Example
+
+The following example, being encrypted, is protected with a passphrase. The passphrase used in this example key is *`test`*.
+
+.`id_rsa` Format
+[source,text,linenums]
+----
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAH1LB8Cx
+KDSJFkiACNbhMLAAAAZAAAAAEAAAIXAAAAB3NzaC1yc2EAAAADAQABAAACAQC3zsBGAc4q
+EvDJJMuaMOuZAGaBLLFDaRk/MLK5/dSvyzAMkY8qd9ZEEPNheufIyjGMJX08TfTixBCLu+
+k6holLoUs1dfL3IVC8OB3L+3QsehloZv0xhKzpZ2Gt2g/CmS9shm11aZGfwi2cS/DeQFqM
+dtUZqipTKdxoJXdyKaXQt1OnglqJuVJ1+cAl4hU0PGyIzWaQoiH4rp72de5GTcfRGNpBBQ
+fqXWtkid1gr9imZGSS2z4nnxp4JA24q72mxQcUyWNmUKcggef6XUcsFCiwfq5dFbZOoeKn
+UIUS/pq2VfhqMTSG08yh3Y6QrMXJ+6TW52dQf7q586f2jHSBQq8qNwHTGoqbdRGViqdxh7
+pwLtk004WvzuQjgOleDn6bwPTSM2f8dwN0Fnt/CSb7b9ttBarRz9GRgkhFsBThgVO/DR08
+Ox+tuyWj8dFR+baEYz2MFpD82MrQWqwq6yPb8Zo35ICgCJEDGcEW1HvZJLOZQlQ7iKD2En
+lSstjhKQ8wKfVCrr6cDI42zzKWhlzWZDyJJNVm6/SXGAk5mhrAlv4e3Dtfhxv17wtNRODq
+J2INIFFC4L/PZ3tNsCVTISGj8HRapNBYYzFzMleFWlzsvjrEQD0E/wzAxYt8BJBLQCElwr
+wqY6IOuzCcxvPmXbMBoFi42s4H5xs48/NZVDP2mxmPBwAAB1CWbizkNSQv7wl4f26Nk6Vj
+CS4/O8mGtEGYyB6AScXJREGe/8BSFAHcHvW8Dk1q7et9BYgLw/cxaYubzuzq4I5eBfefTS
+LelTyJnDJxhQ6A6AT5saebzsMbuhHAjbYPm9Iga8PXv+90iV5PTjcgZJ+SRUT0os6lud+5
+zAor2PO6cPS6Ln9ClgRlyereEYYw+cgy/oTvVIUpl50NbqB5+dXEDjlrCY/FCUSNJt48tI
+SwM0r6yro3G1LDfBIKViMXDB0KOTSKFRyfuKqxBJ9SzwwIx3FErzFCWakISPPcYuWDH6wI
+cgscgTUG8dseeUDe9S3EbJfWNjzaD/fiJY4mN9LgnyYJm7/qx4gZGYt4N00kJFN/5Umiqz
+3dr19/23OcOSEGSwT2/8/rVUTbUzF5A44R0MxiKZK8bQYAWE1AaKKJHcdIycFr4ywqCOls
+qi3exN3Roqs7AYoLDxZqFayHCjDIDMiX2/Fa9+jCkVs2FvI3pmRuQ8Zl91aaXtGFCtjNBU
+AG04lWjbVTk+eA51Ks6PBrcPHpnYa5RF2cGnpkdry/SEQApY5aWnPSwg1jCpmFu/TGkau2
+HuRRWqZKcn57rEpe17tfdnx9zwA1kEIxKD2SRFhjcCqZXnkr3h1ax91iSJh7n+SwpvGDfO
+T7qgMv9Gcahr6Mfk+b43GCEurQpvG0KYiGO/gK8XqYFPH/vtbIHn9Z3luMcbn1cfxVbMVq
+7iK+G1fUj4ynajeYR8Z9DOtD6tEBNV5UGlfCVK6BTwWKA2GS9J2WI2yIQo5fVNr+/RpbjK
+Ethc84M9ONgWxuDiBRQ/M+NTxHGryXjSjRrImnJNWqs+fEgBXFzTpvMcJYzvExJXTmksbk
+laKo777nhan+HHJzeeof3FtJKoOkr/ezlFrvUDqV3FKyFHQXK7VAVLEGNC8r3mvDitFmwa
+XG2IaFuAZ/UpdBs2mRNS1d8Skbnjx0anHivaeW/d2sKdDi8/rf0fD9M9p1vGFR0+4n9hme
+dsO56HL7Y7VK14sPvivoTxDX5IM5xuYzZFBwdK3cWivYxL5YSMKRvbJ0DTqjJcNQOWzijg
+hu7N1iVvSPt5R7hOhXWbHH5t2RIj4/go5CU6fsbZh61hvSF5wimiDo2X5hWMsL5zQidpi0
+aVx4TEY8rD6n1TgFbVBiqJX4rmRUm9WEhKYDY6uBvEPm/eDuEkdwUbU8lw8GPfLw/y/WVb
+f4ECm+VFzIQfcyHTEwTuuiEP34/a1+G8iszU2ZDAWLMIF+heLFaVq5LB4SmsdHHzOP3TlO
+3hYHFFDBkGHgfBNcvofwEmCzYgbLwWnIW53aJvs9/159aP1RpXNALbzB3H9JocucNBALmz
+0LuLhjnGnH1HSQq4PIkYrQOuYu7kMWXkUvhU2NQTIYbCH3Qu5KPMYUUVrcfAiUCDhThQP1
+xNV4HphMrZPPeo0Xpo1nizRmr7rjYgVdW27bAAe1kjHTBA2/7IuXgrOcOREW8gN+IYv6uk
+bFLFYYCu7yQdkY8hSwtkgLc4KHWtnazkSWw2guoqaXtf5DsQfZPhl2slQNv9oq4iO8GoTW
+Xg1nAlE7jMRCol+5g6rfpJLQnj39mR+fR0cLtzNp9jTdUNqybRKcO6CWrXlxHw7kQZwSJu
+uNpCZ0ss936PSj92zp6eJJtNH8x3jvMY29Z3hVbA+YeOvm6DJJFteCgPI/fjkhsptCu6bK
+LXgDmcpO08stA2yb7YCyNYCRmEIhNeLYQsj1Ok3Vn+C+2InUeEAWQCSx9mjMVml41DHrKg
+eiDtBuV1VR4bAw2xNQ6UySmgKKXcJTQONDTyJQ4/Sd4XG7hQh10oAFDklVRLpxtx6jbCk3
+rWWT4rW8oovDjlnOqR8mzRyoqkvZ+8HGBa5Grj9Vmzpuv4n/Vp/zZcPLpLS5H2Zf/aOXGI
+/iPqRWyALEeoBihE1AT6tBoPqD/Q3Wbk21ERXwJhl/TImhvygka6mWbKKXOw86+kMVSJal
+a/4hU9+qo8zSqwEbf5FHDL3ASvfP4XA95wQPTXd3sGh2nUA1N3zHZk9Aa11pNWqjMEXEM0
+oeLOYC6isexmY1LRS1mW2tRRpMuIbGYUPcJfjxvPDtJT/ryXM0MuraNaavyYJ0n6DsaAqI
+HbBhceo3+oM4HskKavovJp2doHyPMCFh4myaTCHCVgztgRvfa+QC02ri8R+IQ1EkHneaIv
+i2mo4+6qZ25xUBQ6ZrOpLU2s6fT5th4/fgqnZWyBjs+1MwNFfVHnTn7InPA4yac/ODQ4Po
+ItL1DDp3daoOY7EnohTbdJDkiPfukXgqkN4y9KsiYBr3sZD8xqKS5C4vi2nKrOmUsSfp+R
+UyttjDt84I+ZHSaSILzu7X1OYVFSPmPkG80nFU/Tp/c3DASxJYcVQT7F8X9RuqmejlzVms
+evF9rs0OiSYAJAOrh6Qi5CKm+xGGtbt9sl+v/trSR/10GyRhqjuWEjQhQq8Q3s7+AMALN6
+ZnrXZl+8QIW1MSvaaQFmJFqTs=
+-----END OPENSSH PRIVATE KEY-----
+----
+
+.Structure Reference (Hex) (Decoded Base64)
+[source,text,linenums]
+----
+0.0 6f70656e7373682d6b65792d763100 ("openssh-key-v1" + 0x00)
+1.0 0000000a (10)
+    1.0.0 6165733235362d637472 ("aes256-ctr")
+2.0 00000006 (6)
+    2.0.0 626372797074 ("bcrypt")
+3.0 00000018 (24)
+    3.0.0 00000010 (16)
+        3.0.0.0 07d4b07c0b128348916488008d6e130b (bytes)
+    3.0.1 00000064 (100)
+4.0 00000001 (1)
+    4.0.0 00000217 (535)
+        4.0.0.0 00000007 (7)
+            4.0.0.0.0 7373682d727361 ("ssh-rsa")
+        4.0.0.1 00000003 (3)
+            4.0.0.1.0 010001 (65537)
+        4.0.0.2 00000201 (513)
+            4.0.0.2.0 00b7cec04601ce2a12f0c924cb9a30eb990066812cb14369193f30b2b9fdd4af
+                      cb300c918f2a77d64410f3617ae7c8ca318c257d3c4df4e2c4108bbbe93a8689
+                      4ba14b3575f2f72150bc381dcbfb742c7a196866fd3184ace96761adda0fc299
+                      2f6c866d7569919fc22d9c4bf0de405a8c76d519aa2a5329dc6825777229a5d0
+                      b753a7825a89b95275f9c025e215343c6c88cd6690a221f8ae9ef675ee464dc7
+                      d118da410507ea5d6b6489dd60afd8a6646492db3e279f1a78240db8abbda6c5
+                      0714c9636650a72081e7fa5d472c1428b07eae5d15b64ea1e2a7508512fe9ab6
+                      55f86a313486d3cca1dd8e90acc5c9fba4d6e767507fbab9f3a7f68c748142af
+                      2a3701d31a8a9b7511958aa77187ba702ed934d385afcee42380e95e0e7e9bc0
+                      f4d23367fc770374167b7f0926fb6fdb6d05aad1cfd191824845b014e18153bf
+                      0d1d3c3b1fadbb25a3f1d151f9b684633d8c1690fcd8cad05aac2aeb23dbf19a
+                      37e480a008910319c116d47bd924b39942543b88a0f6127952b2d8e1290f3029
+                      f542aebe9c0c8e36cf3296865cd6643c8924d566ebf4971809399a1ac096fe1e
+                      dc3b5f871bf5ef0b4d44e0ea27620d205142e0bfcf677b4db025532121a3f074
+                      5aa4d0586331733257855a5cecbe3ac4403d04ff0cc0c58b7c04904b402125c2
+                      bc2a63a20ebb309cc6f3e65db301a058b8dace07e71b38f3f3595433f69b198f
+                      07 (bytes)
+    4.0.1 00000750 (1872)
+        4.0.1.0 966e2ce435242fef09787f6e8d93a563092e3f3bc986b44198c81e8049c5c944
+                419effc0521401dc1ef5bc0e4d6aedeb7d05880bc3f731698b9bceeceae08e5e
+                05f79f4d22de953c899c3271850e80e804f9b1a79bcec31bba11c08db60f9bd2
+                206bc3d7bfef74895e4f4e3720649f924544f4a2cea5b9dfb9cc0a2bd8f3ba70
+                f4ba2e7f42960465c9eade118630f9c832fe84ef548529979d0d6ea079f9d5c4
+                0e396b098fc509448d26de3cb484b0334afacaba371b52c37c120a5623170c1d
+                0a39348a151c9fb8aab1049f52cf0c08c77144af314259a90848f3dc62e5831f
+                ac08720b1c813506f1db1e7940def52dc46c97d6363cda0ff7e2258e2637d2e0
+                9f26099bbfeac78819198b78374d2424537fe549a2ab3dddaf5f7fdb739c3921
+                064b04f6ffcfeb5544db533179038e11d0cc622992bc6d0600584d4068a2891d
+                c748c9c16be32c2a08e96caa2ddec4ddd1a2ab3b018a0b0f166a15ac870a30c8
+                0cc897dbf15af7e8c2915b3616f237a6646e43c665f7569a5ed1850ad8cd0540
+                06d389568db55393e780e752ace8f06b70f1e99d86b9445d9c1a7a6476bcbf48
+                4400a58e5a5a73d2c20d630a9985bbf4c691abb61ee4515aa64a727e7bac4a5e
+                d7bb5f767c7dcf0035904231283d92445863702a995e792bde1d5ac7dd624898
+                7b9fe4b0a6f1837ce4fbaa032ff4671a86be8c7e4f9be3718212ead0a6f1b429
+                88863bf80af17a9814f1ffbed6c81e7f59de5b8c71b9f571fc556cc56aee22be
+                1b57d48f8ca76a379847c67d0ceb43ead101355e541a57c254ae814f058a0361
+                92f49d96236c88428e5f54dafefd1a5b8ca12d85cf3833d38d816c6e0e205143
+                f33e353c471abc978d28d1ac89a724d5aab3e7c48015c5cd3a6f31c258cef131
+                2574e692c6e495a2a8efbee785a9fe1c727379ea1fdc5b492a83a4aff7b3945a
+                ef503a95dc52b21474172bb54054b106342f2bde6bc38ad166c1a5c6d88685b8
+                067f529741b36991352d5df1291b9e3c746a71e2bda796fdddac29d0e2f3fadf
+                d1f0fd33da75bc6151d3ee27f6199e76c3b9e872fb63b54ad78b0fbe2be84f10
+                d7e48339c6e63364507074addc5a2bd8c4be5848c291bdb2740d3aa325c35039
+                6ce28e086eecdd6256f48fb7947b84e85759b1c7e6dd91223e3f828e4253a7ec
+                6d987ad61bd2179c229a20e8d97e6158cb0be734227698b4695c784c463cac3e
+                a7d538056d5062a895f8ae64549bd58484a60363ab81bc43e6fde0ee12477051
+                b53c970f063df2f0ff2fd655b7f81029be545cc841f7321d31304eeba210fdf8
+                fdad7e1bc8accd4d990c058b30817e85e2c5695ab92c1e129ac7471f338fdd39
+                4ede16071450c19061e07c135cbe87f01260b36206cbc169c85b9dda26fb3dff
+                5e7d68fd51a573402dbcc1dc7f49a1cb9c34100b9b3d0bb8b8639c69c7d47490
+                ab83c8918ad03ae62eee43165e452f854d8d4132186c21f742ee4a3cc614515a
+                dc7c08940838538503f5c4d5781e984cad93cf7a8d17a68d678b3466afbae362
+                055d5b6edb0007b59231d3040dbfec8b9782b39c391116f2037e218bfaba46c5
+                2c56180aeef241d918f214b0b6480b7382875ad9dace4496c3682ea2a697b5fe
+                43b107d93e1976b2540dbfda2ae223bc1a84d65e0d6702513b8cc442a25fb983
+                aadfa492d09e3dfd991f9f47470bb73369f634dd50dab26d129c3ba096ad7971
+                1f0ee4419c1226eb8da42674b2cf77e8f4a3f76ce9e9e249b4d1fcc778ef318d
+                bd6778556c0f9878ebe6e8324916d78280f23f7e3921b29b42bba6ca2d780399
+                ca4ed3cb2d036c9bed80b235809198422135e2d842c8f53a4dd59fe0bed889d4
+                7840164024b1f668cc566978d431eb2a07a20ed06e575551e1b030db1350e94c
+                929a028a5dc25340e3434f2250e3f49de171bb850875d280050e495544ba71b7
+                1ea36c2937ad6593e2b5bca28bc38e59cea91f26cd1ca8aa4bd9fbc1c605ae46
+                ae3f559b3a6ebf89ff569ff365c3cba4b4b91f665ffda397188fe23ea456c802
+                c47a8062844d404fab41a0fa83fd0dd66e4db51115f026197f4c89a1bf28246b
+                a9966ca2973b0f3afa43154896a56bfe2153dfaaa3ccd2ab011b7f91470cbdc0
+                4af7cfe1703de7040f4d7777b068769d4035377cc7664f406b5d69356aa33045
+                c4334a1e2ce602ea2b1ec666352d14b5996dad451a4cb886c66143dc25f8f1bc
+                f0ed253febc9733432eada35a6afc982749fa0ec680a881db06171ea37fa8338
+                1ec90a6afa2f269d9da07c8f302161e26c9a4c21c2560ced811bdf6be402d36a
+                e2f11f884351241e779a22f8b69a8e3eeaa676e7150143a66b3a92d4dace9f4f
+                9b61e3f7e0aa7656c818ecfb53303457d51e74e7ec89cf038c9a73f3834383e8
+                22d2f50c3a7775aa0e63b127a214db7490e488f7ee91782a90de32f4ab22601a
+                f7b190fcc6a292e42e2f8b69caace994b127e9f91532b6d8c3b7ce08f991d269
+                220bceeed7d4e6151523e63e41bcd27154fd3a7f7370c04b1258715413ec5f17
+                f51baa99e8e5cd59ac7af17daecd0e8926002403ab87a422e422a6fb1186b5bb
+                7db25faffedad247fd741b2461aa3b9612342142af10decefe00c00b37a667ad
+                7665fbc4085b5312bda690166245a93b (AES256-CTR encrypted block) (bytes)
+----
+
+[NOTE]
+====
+The decrypted *4.0.1.0* should match the <<struct_rsa_plain, plaintext key's structure>> for *4.0.1.0* through *4.0.1.10*. The padding length WILL change, however, between the two unless using a cipher with an 8-byte block size.
+====
+
+When *4.0.1.0* is decrypted, it yields:
+
+.Decrypted *4.0.1.0*
+[source,text,linenums]
+----
+4.0.1.0 0d98bd61 (228113761)
+4.0.1.1 0d98bd61 (228113761)
+4.0.1.2 00000007 (7)
+    4.0.1.2.0 7373682d727361 ("ssh-rsa")
+4.0.1.3 00000201 (513)
+    4.0.1.3.0 00b7cec04601ce2a12f0c924cb9a30eb990066812cb14369193f30b2b9fdd4af
+              cb300c918f2a77d64410f3617ae7c8ca318c257d3c4df4e2c4108bbbe93a8689
+              4ba14b3575f2f72150bc381dcbfb742c7a196866fd3184ace96761adda0fc299
+              2f6c866d7569919fc22d9c4bf0de405a8c76d519aa2a5329dc6825777229a5d0
+              b753a7825a89b95275f9c025e215343c6c88cd6690a221f8ae9ef675ee464dc7
+              d118da410507ea5d6b6489dd60afd8a6646492db3e279f1a78240db8abbda6c5
+              0714c9636650a72081e7fa5d472c1428b07eae5d15b64ea1e2a7508512fe9ab6
+              55f86a313486d3cca1dd8e90acc5c9fba4d6e767507fbab9f3a7f68c748142af
+              2a3701d31a8a9b7511958aa77187ba702ed934d385afcee42380e95e0e7e9bc0
+              f4d23367fc770374167b7f0926fb6fdb6d05aad1cfd191824845b014e18153bf
+              0d1d3c3b1fadbb25a3f1d151f9b684633d8c1690fcd8cad05aac2aeb23dbf19a
+              37e480a008910319c116d47bd924b39942543b88a0f6127952b2d8e1290f3029
+              f542aebe9c0c8e36cf3296865cd6643c8924d566ebf4971809399a1ac096fe1e
+              dc3b5f871bf5ef0b4d44e0ea27620d205142e0bfcf677b4db025532121a3f074
+              5aa4d0586331733257855a5cecbe3ac4403d04ff0cc0c58b7c04904b402125c2
+              bc2a63a20ebb309cc6f3e65db301a058b8dace07e71b38f3f3595433f69b198f
+              07 (bytes)
+4.0.1.4 00000003 (3)
+    4.0.1.4.0 010001 (65537)
+4.0.1.5 00000200 (512)
+    4.0.1.5.0 499f2c705e04bfe17a4476d27e5e1ddfd8c335f63ac22f748754f02183440f6d
+              a93f3f86429261663e0bddfda69d4c2f705d0bbe7dd31a8941bf5672e29844a1
+              e0670970c6f2a98b76f85b26fafedb59c49786b8df7eaeeb86171fd579fe8df0
+              eadd2536a4244a0332d5a9ad3eb8340c930464153e82b4ffad4f647a7ba808e3
+              854450f806b60e0b670fc99cb6b58786497d4c199e7750ee5089934eef25f465
+              12394955c487e10744ebdb9a00951c8095b024d4ce75f1da3146b5b3447169f5
+              9e23d40685438bc7bcad1173927a389a0903ba111a46809d123b3432197cca8f
+              c0c27816fbf215c2b7c584b94f37c9ed8a8e815942effdcf54757268afe58fd7
+              00cdcf6a98a20950617b0624aa835d95e27d7afcdee70c397ca1b6aa04735e6d
+              5c5e01bfff2174cf562d36842624490e12ca8142595d52567494f38b2124012c
+              acacb2564e21c845eb94f5d6ebf6f39066e1fa04b318174e6f9994823ba4d9ef
+              2c28b37cb3ea05fa3cad7200898394276835523e4e416054f23db0eb732211d3
+              a11ea551390ae8d58d69e14664e0e20f2bf0ccd24d260b832a94144f5801ea7c
+              dbb2436f21ba2dbaecbcd573f24c5e0d43fd26b4ae6764e138ddaf4775ac0163
+              e45727c10027f716cbe3cc70fff73441bb2538e5426a1a5638b448a7bde96804
+              1ec2184ef67b0da60070297cd73deeefebd1951611c7a776c956e18e5f163a21 (bytes)
+4.0.1.6 00000100 (256)
+    4.0.1.6.0 0ae2e1cf2455a0d82272e6a42bbba83eb765496e5a33e13b8c94756d8c32f7d7
+              505fd997bdd5ec08c59bf8d1d659d1df02bec669ebb5aaaf5db1ec70ce2f2a6b
+              3a17b7b1fce3adc6203c2905cd652d7622065dd011ae33894467c6dca3643952
+              b0caedff9bc78ac40408074027566ee4c4751ad3ff452a2781af8b5c2c9bf09b
+              34ee5e6201330b4bc381af766798667c5b9ad0733c19f4ef475fd264655e0305
+              53f2f2f8de59c2aee74b9dd6720e3108143dfedd41cf4bc11de2b9a9f40faec7
+              2a52312abee4c6155acfee9384a16348c715346ebe693895fe6d2348d4dedb0a
+              137c487185ff949c209115b9c8a106329991f049e8430c7ba60dd5408d72ac98
+4.0.1.7 00000101 (257)
+    4.0.1.7.0 00e50b65ba6ae4cb29ae66129c3e41ffeba36cd6ecbaa7045ff90cea71d09bc0
+              56b0b9134dc5754c49da1fe8ab169cd149eedaeccf4913d915f4f241c5fd86c7
+              7511e0c261c344600a84cce78e8cf493e492844cb82c42ab6d1246a53e5cf50a
+              d4759c2a5c09d53b1c5c3b449328eea01434d6e537b3a513928dfaddf0a72728
+              23899b8d795220cb3344ab8d0e846e1e40ffdfb5c719262c2b527a890a51faab
+              cf10904699135f7b997487f4b48d4490ad80fc25b346fa0bb587f09295bf0f71
+              ac10a8086867d4bad00a0c27a6456f08e0c2bf8caed8768f0366a2440428180a
+              292617af61feabab9a7075b8bc21209a5439bbfe3613917071fee74a8d5d80fe
+              99
+4.0.1.8 00000101 (257)
+    4.0.1.8.0 00cd7077659fad983104bcc7dc526242b9ea52cea40e923df771ac2a28e377f2
+              b9231a58c2448c6b8d17fe83571ef6bdbbc11f3d4ab4254ea859684b8772911f
+              9c6f355479053e3e3d3a6ecce13a016908298ca3f8b628d2111749a3627628eb
+              05844f546795a5067d39b1d304e19cc6fc1be00a6164ea33e4abbc87f5683227
+              1d825c868c5ccda3775b037711e99436f96c53f3780b985084e1d84a458c687a
+              b0938a09bf6f9b3ffec41ed02fd5b27572c7d180039e405a559b62fc08f804b1
+              9f043dba4c6f7565b1c72759f4b932d4f93d4f41da91b1b146f29854a1008341
+              e4760bdd4987097ec4a6551ab96e099a04a38d6a893b533db185abb55736419e
+              9f (bytes)
+4.0.1.9 00000018 (24)
+    4.0.1.9.0 54686973206973206120636f6d6d656e7420737472696e67 ("This is a comment string")
+4.0.1.10 010203 ([1 2 3], 3 bytes)
+----
+
+See the <<struct_rsa_plain, plaintext structure>> for details.
diff --git a/_ref/rsa/private/v1/main.adoc b/_ref/rsa/private/v1/main.adoc
index 36a4887..5154324 100644
--- a/_ref/rsa/private/v1/main.adoc
+++ b/_ref/rsa/private/v1/main.adoc
@@ -1,2 +1,3 @@
+
 include::plain.adoc[]
 include::encrypted.adoc[]
diff --git a/_ref/rsa/private/v1/plain.adoc b/_ref/rsa/private/v1/plain.adoc
index 6921cea..6ff5423 100644
--- a/_ref/rsa/private/v1/plain.adoc
+++ b/_ref/rsa/private/v1/plain.adoc
@@ -1,2 +1,227 @@
 
-TODO
+===== v1 (Plain)
+
+[TIP]
+====
+Since plaintext/unencrypted keys do not have a cipher or KDF (as there's no encryption key or algorithm used), they use the string "none" to identify these (and entirely leave out the KDF options).
+====
+
+[id=struct_rsa_plain]
+====== Structure
+
+[source,text,linenums]
+----
+0.0 "openssh-key-v1" string plus terminating nullbyte (15 bytes)
+1.0 uint32 allocator for 1.0.0 (4 bytes)
+	1.0.0 cipher name string (ASCII bytes)
+2.0 uint32 allocator for 2.0.0 (4 bytes)
+	2.0.0 KDF name string (ASCII bytes)
+3.0 uint32 allocator for KDF options (3.0.0 to 3.0.1) (4 bytes) (ALWAYS 0 for unencrypted keys, so no following substructure)
+4.0 uint32 counter for # of keys (4 bytes)
+	4.0.0 uint32 allocator for public key #n (4.0.0.0 to 4.0.0.1) (4 bytes)
+		4.0.0.0 uint32 allocator for 4.0.0.0.0 (4 bytes)
+			4.0.0.0.0 public key #n keytype string (ASCII bytes)
+		4.0.0.1 uint32 allocator for 4.0.0.1.0 (4 bytes)
+			4.0.0.1.0 public exponent ('e')
+		4.0.0.2 uint32 allocator for 4.0.0.2.0 (4 bytes)
+			4.0.0.2.0 modulus ('n')
+    4.0.1 uint32 allocator for private key structure #n (4.0.1.0 to 4.0.1.5) (4 bytes)
+        4.0.1.0 uint32 decryption "checksum" #1 (should match 4.0.1.1) (4 bytes)
+        4.0.1.1 uint32 decryption "checksum" #2 (should match 4.0.1.0) (4 bytes)
+        4.0.1.2 copy of 4.0.0.0; allocator for 4.0.1.2.0 (4 bytes)
+            4.0.1.2.0 copy of 4.0.0.0.0 (ASCII bytes)
+        4.0.1.3 copy of 4.0.0.2; allocator for 4.0.1.3.0 (4 bytes)
+            4.0.1.3.0 copy of 4.0.0.2.0 (bytes)
+        4.0.1.4 copy of 4.0.0.1; allocator for 4.0.1.4.0 (4 bytes)
+            4.0.1.4.0 copy of 4.0.0.1.0 (bytes)
+        4.0.1.5 uint32 allocator for 4.0.1.5.0 (4 bytes)
+            4.0.1.5.0 private exponent ('d')
+        4.0.1.6 uint32 allocator for 4.0.1.6.0 (4 bytes)
+            4.0.1.6.0 CRT helper value ('q^(-1) % p')
+        4.0.1.7 uint32 allocator for 4.0.1.7.0 (4 bytes)
+            4.0.1.7.0 prime #1 ('p')
+        4.0.1.8 uint32 allocator for 4.0.1.8.0 (4 bytes)
+            4.0.1.8.0 prime #2 ('q')
+        4.0.1.9 uint32 allocator for 4.0.1.9.0 (4 bytes)
+            4.0.1.9.0 comment for key #n string (ASCII bytes)
+        4.0.1.10 sequential padding
+----
+
+[NOTE]
+====
+*Chunk 3.0.0 to 3.0.1:* These blocks are not present in unencrypted keys (see the <<struct_rsa_crypt, encrypted key structure>> for what these look like). *3.0* reflects this, as it's always going to be `00000000` (0).
+
+*Chunk 4.0:* This is technically currently unused; upstream hardcodes to 1 (left zero-padded 0x01).
+
+*Chunk 4.0.0.1.0, 4.0.0.2.0, 4.0.1.3.0, 4.0.1.4.0:* Note that the ordering of `e`/`n` in *4.0.0* is changed to `n`/`e` in *4.0.1*.
+
+*Chunk 4.0.1.10:* The padding used aligns the private key (*4.0.1.0* to *4.0.1.9.0*) to the cipher blocksize. For plaintext keys, a blocksize of 8 is used.
+====
+
+[id=bytes_rsa_plain]
+====== Example
+
+The following example, being encrypted, is protected with a passphrase. The passphrase used in this example key is *`test`*.
+
+.`id_rsa` Format
+[source,text,linenums]
+----
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAgEAt87ARgHOKhLwySTLmjDrmQBmgSyxQ2kZPzCyuf3Ur8swDJGPKnfW
+RBDzYXrnyMoxjCV9PE304sQQi7vpOoaJS6FLNXXy9yFQvDgdy/t0LHoZaGb9MYSs6Wdhrd
+oPwpkvbIZtdWmRn8ItnEvw3kBajHbVGaoqUyncaCV3ciml0LdTp4JaiblSdfnAJeIVNDxs
+iM1mkKIh+K6e9nXuRk3H0RjaQQUH6l1rZIndYK/YpmRkkts+J58aeCQNuKu9psUHFMljZl
+CnIIHn+l1HLBQosH6uXRW2TqHip1CFEv6atlX4ajE0htPMod2OkKzFyfuk1udnUH+6ufOn
+9ox0gUKvKjcB0xqKm3URlYqncYe6cC7ZNNOFr87kI4DpXg5+m8D00jNn/HcDdBZ7fwkm+2
+/bbQWq0c/RkYJIRbAU4YFTvw0dPDsfrbslo/HRUfm2hGM9jBaQ/NjK0FqsKusj2/GaN+SA
+oAiRAxnBFtR72SSzmUJUO4ig9hJ5UrLY4SkPMCn1Qq6+nAyONs8yloZc1mQ8iSTVZuv0lx
+gJOZoawJb+Htw7X4cb9e8LTUTg6idiDSBRQuC/z2d7TbAlUyEho/B0WqTQWGMxczJXhVpc
+7L46xEA9BP8MwMWLfASQS0AhJcK8KmOiDrswnMbz5l2zAaBYuNrOB+cbOPPzWVQz9psZjw
+cAAAdQU4NHElODRxIAAAAHc3NoLXJzYQAAAgEAt87ARgHOKhLwySTLmjDrmQBmgSyxQ2kZ
+PzCyuf3Ur8swDJGPKnfWRBDzYXrnyMoxjCV9PE304sQQi7vpOoaJS6FLNXXy9yFQvDgdy/
+t0LHoZaGb9MYSs6WdhrdoPwpkvbIZtdWmRn8ItnEvw3kBajHbVGaoqUyncaCV3ciml0LdT
+p4JaiblSdfnAJeIVNDxsiM1mkKIh+K6e9nXuRk3H0RjaQQUH6l1rZIndYK/YpmRkkts+J5
+8aeCQNuKu9psUHFMljZlCnIIHn+l1HLBQosH6uXRW2TqHip1CFEv6atlX4ajE0htPMod2O
+kKzFyfuk1udnUH+6ufOn9ox0gUKvKjcB0xqKm3URlYqncYe6cC7ZNNOFr87kI4DpXg5+m8
+D00jNn/HcDdBZ7fwkm+2/bbQWq0c/RkYJIRbAU4YFTvw0dPDsfrbslo/HRUfm2hGM9jBaQ
+/NjK0FqsKusj2/GaN+SAoAiRAxnBFtR72SSzmUJUO4ig9hJ5UrLY4SkPMCn1Qq6+nAyONs
+8yloZc1mQ8iSTVZuv0lxgJOZoawJb+Htw7X4cb9e8LTUTg6idiDSBRQuC/z2d7TbAlUyEh
+o/B0WqTQWGMxczJXhVpc7L46xEA9BP8MwMWLfASQS0AhJcK8KmOiDrswnMbz5l2zAaBYuN
+rOB+cbOPPzWVQz9psZjwcAAAADAQABAAACAEmfLHBeBL/hekR20n5eHd/YwzX2OsIvdIdU
+8CGDRA9tqT8/hkKSYWY+C939pp1ML3BdC7590xqJQb9WcuKYRKHgZwlwxvKpi3b4Wyb6/t
+tZxJeGuN9+ruuGFx/Vef6N8OrdJTakJEoDMtWprT64NAyTBGQVPoK0/61PZHp7qAjjhURQ
++Aa2DgtnD8mctrWHhkl9TBmed1DuUImTTu8l9GUSOUlVxIfhB0Tr25oAlRyAlbAk1M518d
+oxRrWzRHFp9Z4j1AaFQ4vHvK0Rc5J6OJoJA7oRGkaAnRI7NDIZfMqPwMJ4FvvyFcK3xYS5
+TzfJ7YqOgVlC7/3PVHVyaK/lj9cAzc9qmKIJUGF7BiSqg12V4n16/N7nDDl8obaqBHNebV
+xeAb//IXTPVi02hCYkSQ4SyoFCWV1SVnSU84shJAEsrKyyVk4hyEXrlPXW6/bzkGbh+gSz
+GBdOb5mUgjuk2e8sKLN8s+oF+jytcgCJg5QnaDVSPk5BYFTyPbDrcyIR06EepVE5CujVjW
+nhRmTg4g8r8MzSTSYLgyqUFE9YAep827JDbyG6LbrsvNVz8kxeDUP9JrSuZ2ThON2vR3Ws
+AWPkVyfBACf3FsvjzHD/9zRBuyU45UJqGlY4tEinveloBB7CGE72ew2mAHApfNc97u/r0Z
+UWEcendslW4Y5fFjohAAABAAri4c8kVaDYInLmpCu7qD63ZUluWjPhO4yUdW2MMvfXUF/Z
+l73V7AjFm/jR1lnR3wK+xmnrtaqvXbHscM4vKms6F7ex/OOtxiA8KQXNZS12IgZd0BGuM4
+lEZ8bco2Q5UrDK7f+bx4rEBAgHQCdWbuTEdRrT/0UqJ4Gvi1wsm/CbNO5eYgEzC0vDga92
+Z5hmfFua0HM8GfTvR1/SZGVeAwVT8vL43lnCrudLndZyDjEIFD3+3UHPS8Ed4rmp9A+uxy
+pSMSq+5MYVWs/uk4ShY0jHFTRuvmk4lf5tI0jU3tsKE3xIcYX/lJwgkRW5yKEGMpmR8Eno
+Qwx7pg3VQI1yrJgAAAEBAOULZbpq5MsprmYSnD5B/+ujbNbsuqcEX/kM6nHQm8BWsLkTTc
+V1TEnaH+irFpzRSe7a7M9JE9kV9PJBxf2Gx3UR4MJhw0RgCoTM546M9JPkkoRMuCxCq20S
+RqU+XPUK1HWcKlwJ1TscXDtEkyjuoBQ01uU3s6UTko363fCnJygjiZuNeVIgyzNEq40OhG
+4eQP/ftccZJiwrUnqJClH6q88QkEaZE197mXSH9LSNRJCtgPwls0b6C7WH8JKVvw9xrBCo
+CGhn1LrQCgwnpkVvCODCv4yu2HaPA2aiRAQoGAopJhevYf6rq5pwdbi8ISCaVDm7/jYTkX
+Bx/udKjV2A/pkAAAEBAM1wd2WfrZgxBLzH3FJiQrnqUs6kDpI993GsKijjd/K5IxpYwkSM
+a40X/oNXHva9u8EfPUq0JU6oWWhLh3KRH5xvNVR5BT4+PTpuzOE6AWkIKYyj+LYo0hEXSa
+NidijrBYRPVGeVpQZ9ObHTBOGcxvwb4AphZOoz5Ku8h/VoMicdglyGjFzNo3dbA3cR6ZQ2
++WxT83gLmFCE4dhKRYxoerCTigm/b5s//sQe0C/VsnVyx9GAA55AWlWbYvwI+ASxnwQ9uk
+xvdWWxxydZ9Lky1Pk9T0HakbGxRvKYVKEAg0HkdgvdSYcJfsSmVRq5bgmaBKONaok7Uz2x
+hau1VzZBnp8AAAAYVGhpcyBpcyBhIGNvbW1lbnQgc3RyaW5nAQID
+-----END OPENSSH PRIVATE KEY-----
+----
+
+.Structure Reference (Hex) (Decoded Base64)
+[source,text,linenums]
+----
+0.0 6f70656e7373682d6b65792d763100 ("openssh-key-v1" + 0x00)
+1.0 0000000a (10)
+    1.0.0 6165733235362d637472 ("none")
+2.0 00000006 (6)
+    2.0.0 626372797074 ("none")
+3.0 00000000 (0)
+4.0 00000001 (1)
+    4.0.0 00000217 (535)
+        4.0.0.0 00000007 (7)
+            4.0.0.0.0 7373682d727361 ("ssh-rsa")
+        4.0.0.1 00000003 (3)
+            4.0.0.1.0 010001 (65537)
+        4.0.0.2 00000201 (513)
+            4.0.0.2.0 00b7cec04601ce2a12f0c924cb9a30eb990066812cb14369193f30b2b9fdd4af
+                      cb300c918f2a77d64410f3617ae7c8ca318c257d3c4df4e2c4108bbbe93a8689
+                      4ba14b3575f2f72150bc381dcbfb742c7a196866fd3184ace96761adda0fc299
+                      2f6c866d7569919fc22d9c4bf0de405a8c76d519aa2a5329dc6825777229a5d0
+                      b753a7825a89b95275f9c025e215343c6c88cd6690a221f8ae9ef675ee464dc7
+                      d118da410507ea5d6b6489dd60afd8a6646492db3e279f1a78240db8abbda6c5
+                      0714c9636650a72081e7fa5d472c1428b07eae5d15b64ea1e2a7508512fe9ab6
+                      55f86a313486d3cca1dd8e90acc5c9fba4d6e767507fbab9f3a7f68c748142af
+                      2a3701d31a8a9b7511958aa77187ba702ed934d385afcee42380e95e0e7e9bc0
+                      f4d23367fc770374167b7f0926fb6fdb6d05aad1cfd191824845b014e18153bf
+                      0d1d3c3b1fadbb25a3f1d151f9b684633d8c1690fcd8cad05aac2aeb23dbf19a
+                      37e480a008910319c116d47bd924b39942543b88a0f6127952b2d8e1290f3029
+                      f542aebe9c0c8e36cf3296865cd6643c8924d566ebf4971809399a1ac096fe1e
+                      dc3b5f871bf5ef0b4d44e0ea27620d205142e0bfcf677b4db025532121a3f074
+                      5aa4d0586331733257855a5cecbe3ac4403d04ff0cc0c58b7c04904b402125c2
+                      bc2a63a20ebb309cc6f3e65db301a058b8dace07e71b38f3f3595433f69b198f
+                      07 (bytes)
+    4.0.1 00000750 (1872)
+        4.0.1.0 53834712 (1401112338)
+        4.0.1.1 53834712 (1401112338)
+        4.0.1.2 00000007 (7)
+            4.0.1.2.0 7373682d727361 ("ssh-rsa")
+        4.0.1.3 00000201 (513)
+            4.0.1.3.0 00b7cec04601ce2a12f0c924cb9a30eb990066812cb14369193f30b2b9fdd4af
+                      cb300c918f2a77d64410f3617ae7c8ca318c257d3c4df4e2c4108bbbe93a8689
+                      4ba14b3575f2f72150bc381dcbfb742c7a196866fd3184ace96761adda0fc299
+                      2f6c866d7569919fc22d9c4bf0de405a8c76d519aa2a5329dc6825777229a5d0
+                      b753a7825a89b95275f9c025e215343c6c88cd6690a221f8ae9ef675ee464dc7
+                      d118da410507ea5d6b6489dd60afd8a6646492db3e279f1a78240db8abbda6c5
+                      0714c9636650a72081e7fa5d472c1428b07eae5d15b64ea1e2a7508512fe9ab6
+                      55f86a313486d3cca1dd8e90acc5c9fba4d6e767507fbab9f3a7f68c748142af
+                      2a3701d31a8a9b7511958aa77187ba702ed934d385afcee42380e95e0e7e9bc0
+                      f4d23367fc770374167b7f0926fb6fdb6d05aad1cfd191824845b014e18153bf
+                      0d1d3c3b1fadbb25a3f1d151f9b684633d8c1690fcd8cad05aac2aeb23dbf19a
+                      37e480a008910319c116d47bd924b39942543b88a0f6127952b2d8e1290f3029
+                      f542aebe9c0c8e36cf3296865cd6643c8924d566ebf4971809399a1ac096fe1e
+                      dc3b5f871bf5ef0b4d44e0ea27620d205142e0bfcf677b4db025532121a3f074
+                      5aa4d0586331733257855a5cecbe3ac4403d04ff0cc0c58b7c04904b402125c2
+                      bc2a63a20ebb309cc6f3e65db301a058b8dace07e71b38f3f3595433f69b198f
+                      07 (bytes)
+        4.0.1.4 00000003 (3)
+            4.0.1.4.0 010001 (65537)
+        4.0.1.5 00000200 (512)
+            4.0.1.5.0 499f2c705e04bfe17a4476d27e5e1ddfd8c335f63ac22f748754f02183440f6d
+                      a93f3f86429261663e0bddfda69d4c2f705d0bbe7dd31a8941bf5672e29844a1
+                      e0670970c6f2a98b76f85b26fafedb59c49786b8df7eaeeb86171fd579fe8df0
+                      eadd2536a4244a0332d5a9ad3eb8340c930464153e82b4ffad4f647a7ba808e3
+                      854450f806b60e0b670fc99cb6b58786497d4c199e7750ee5089934eef25f465
+                      12394955c487e10744ebdb9a00951c8095b024d4ce75f1da3146b5b3447169f5
+                      9e23d40685438bc7bcad1173927a389a0903ba111a46809d123b3432197cca8f
+                      c0c27816fbf215c2b7c584b94f37c9ed8a8e815942effdcf54757268afe58fd7
+                      00cdcf6a98a20950617b0624aa835d95e27d7afcdee70c397ca1b6aa04735e6d
+                      5c5e01bfff2174cf562d36842624490e12ca8142595d52567494f38b2124012c
+                      acacb2564e21c845eb94f5d6ebf6f39066e1fa04b318174e6f9994823ba4d9ef
+                      2c28b37cb3ea05fa3cad7200898394276835523e4e416054f23db0eb732211d3
+                      a11ea551390ae8d58d69e14664e0e20f2bf0ccd24d260b832a94144f5801ea7c
+                      dbb2436f21ba2dbaecbcd573f24c5e0d43fd26b4ae6764e138ddaf4775ac0163
+                      e45727c10027f716cbe3cc70fff73441bb2538e5426a1a5638b448a7bde96804
+                      1ec2184ef67b0da60070297cd73deeefebd1951611c7a776c956e18e5f163a21 (bytes)
+        4.0.1.6 00000100 (256)
+            4.0.1.6.0 0ae2e1cf2455a0d82272e6a42bbba83eb765496e5a33e13b8c94756d8c32f7d7
+                      505fd997bdd5ec08c59bf8d1d659d1df02bec669ebb5aaaf5db1ec70ce2f2a6b
+                      3a17b7b1fce3adc6203c2905cd652d7622065dd011ae33894467c6dca3643952
+                      b0caedff9bc78ac40408074027566ee4c4751ad3ff452a2781af8b5c2c9bf09b
+                      34ee5e6201330b4bc381af766798667c5b9ad0733c19f4ef475fd264655e0305
+                      53f2f2f8de59c2aee74b9dd6720e3108143dfedd41cf4bc11de2b9a9f40faec7
+                      2a52312abee4c6155acfee9384a16348c715346ebe693895fe6d2348d4dedb0a
+                      137c487185ff949c209115b9c8a106329991f049e8430c7ba60dd5408d72ac98 (bytes)
+        4.0.1.7 00000101 (257)
+            4.0.1.7.0 00e50b65ba6ae4cb29ae66129c3e41ffeba36cd6ecbaa7045ff90cea71d09bc0
+                      56b0b9134dc5754c49da1fe8ab169cd149eedaeccf4913d915f4f241c5fd86c7
+                      7511e0c261c344600a84cce78e8cf493e492844cb82c42ab6d1246a53e5cf50a
+                      d4759c2a5c09d53b1c5c3b449328eea01434d6e537b3a513928dfaddf0a72728
+                      23899b8d795220cb3344ab8d0e846e1e40ffdfb5c719262c2b527a890a51faab
+                      cf10904699135f7b997487f4b48d4490ad80fc25b346fa0bb587f09295bf0f71
+                      ac10a8086867d4bad00a0c27a6456f08e0c2bf8caed8768f0366a2440428180a
+                      292617af61feabab9a7075b8bc21209a5439bbfe3613917071fee74a8d5d80fe
+                      99 (bytes)
+        4.0.1.8 00000101 (257)
+            4.0.1.8.0 00cd7077659fad983104bcc7dc526242b9ea52cea40e923df771ac2a28e377f2
+                      b9231a58c2448c6b8d17fe83571ef6bdbbc11f3d4ab4254ea859684b8772911f
+                      9c6f355479053e3e3d3a6ecce13a016908298ca3f8b628d2111749a3627628eb
+                      05844f546795a5067d39b1d304e19cc6fc1be00a6164ea33e4abbc87f5683227
+                      1d825c868c5ccda3775b037711e99436f96c53f3780b985084e1d84a458c687a
+                      b0938a09bf6f9b3ffec41ed02fd5b27572c7d180039e405a559b62fc08f804b1
+                      9f043dba4c6f7565b1c72759f4b932d4f93d4f41da91b1b146f29854a1008341
+                      e4760bdd4987097ec4a6551ab96e099a04a38d6a893b533db185abb55736419e
+                      9f (bytes)
+        4.0.1.9 00000018 (24)
+            4.0.1.9.0 54686973206973206120636f6d6d656e7420737472696e67 ("This is a comment string")
+        4.0.1.10 010203 ([1 2 3], 3 bytes)
+----
diff --git a/_ref/rsa/public.adoc b/_ref/rsa/public.adoc
index 06a8f4b..bdae5f3 100644
--- a/_ref/rsa/public.adoc
+++ b/_ref/rsa/public.adoc
@@ -1,6 +1,5 @@
 
 ==== Public
-
 ===== Structure
 Public keys are stored in the following structure:
 
@@ -8,11 +7,11 @@ Public keys are stored in the following structure:
 [source,text,linenums]
 ----
 0 uint32 allocator for 0.0 (4 bytes)
-    0.0 Public key type string (ASCII bytes; length defined above)
+    0.0 Public key type string (ASCII bytes)
 1 uint32 allocator for 1.0 (4 bytes)
-    1.0 Public exponent ('e')
+    1.0 Public exponent ('e') (hex numeric)
 2 uint32 allocator for 2.0 (4 bytes)
-    2.0 modulus ('n')
+    2.0 modulus ('n') (bytes)
 ----
 
 ===== Example
@@ -48,4 +47,4 @@ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3zsBGAc4qEvDJJMuaMOuZAGaBLLFDaRk/MLK5/dSv
         5aa4d0586331733257855a5cecbe3ac4403d04ff0cc0c58b7c04904b402125c2
         bc2a63a20ebb309cc6f3e65db301a058b8dace07e71b38f3f3595433f69b198f
         07
-----
\ No newline at end of file
+----