What are the supported Open SSH Key Formats when it is using in Azure ADF - Linked services for SFTP access

Hi Lekkala, MuraliKrishna,

Thanks for reaching out! Currently the built-in Azure Data Factory SFTP connector only accepts OpenSSH keys in the classic RSA (or legacy DSA) PEM format – it doesn’t yet support ECDSA private keys. You’ll see in the docs (under “Use SSH public key authentication”) that the connector only recognizes:

• Keys beginning with “-----BEGIN RSA PRIVATE KEY-----” • (Or “-----BEGIN DSA PRIVATE KEY-----”)

Because ECDSA keys start with “-----BEGIN EC PRIVATE KEY-----” (or with the newer OpenSSH “PRIVATE KEY” banner), the ADF connector will reject them today.

Possible workarounds:

1. Stick with an RSA key pair for your ADF → SFTP link, and rotate it regularly per your security policy.
2. If you must use ECDSA, stand up a self-hosted integration runtime (e.g. on a Linux VM) and invoke your own SFTP script (ssh/scp or a small Azure Function/python script) that supports EC keys—and have ADF trigger that script.
3. Submit a feature request on UserVoice/Feedback for ECDSA support in the ADF SFTP connector.

If none of these fit, you could also look at the new Azure Blob Storage SFTP service (if you’re targeting Azure Storage rather than a third-party box) since that SFTP endpoint does support ECDSA host/public-key algorithms.

Let me know if that helps or if you need more detail on any of the workarounds!

Reference links
• SSH public-key auth in ADF SFTP connector (RSA/DSA only):
https://learn.microsoft.com/azure/data-factory/connector-sftp#linked-service-properties
• Supported algorithms in Azure Blob Storage SFTP (ECDSA hosts allowed): https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#supported-algorithms

Azure Data Factory’s SFTP linked service supports only RSA/DSA OpenSSH private keys. ECDSA OpenSSH keys are not supported for SFTP authentication in ADF.

From the SFTP connector documentation:

• The SFTP connector supports an RSA/DSA OpenSSH key.
• The key file content must start with -----BEGIN [RSA/DSA] PRIVATE KEY-----.
• If the private key file is in PPK format, it must be converted to OpenSSH format (for example, using PuTTY tools).

Because of this limitation, an SFTP linked service in ADF cannot be configured to authenticate with an ECDSA OpenSSH key. To meet a strict ECDSA-only security requirement, an alternative integration approach outside ADF’s native SFTP connector would be required (for example, a custom process that supports ECDSA and then stages data where ADF can read it), but that is not supported directly by the SFTP linked service.

Key configuration options that are supported in ADF SFTP linked services:

• userName: SFTP user.
• privateKeyPath or privateKeyContent: RSA/DSA OpenSSH private key only.
• passPhrase: Optional, if the private key is encrypted.

There is no documented procedure to enable ECDSA keys with the built‑in SFTP connector; only RSA/DSA keys are supported.

References:

• Copy and transform data in SFTP server using Azure Data Factory or Azure Synapse Analytics
• Troubleshoot the FTP, SFTP, and HTTP connectors in Azure Data Factory and Azure Synapse