Menu
RSA private keys may be assigned a "passphrase" which - as I understand it - is intended to provide some secondary security in case someone makes off with the private key file.
How is the passphrase layer of security implemented?
844
A passphrase is a word or phrase that protects private key files. It prevents unauthorized users from encrypting them. Usually it's just the secret encryption/decryption key used for Ciphers. To change the passphrase you simply have to read it with the old pass-phrase and write it again, specifying the new pass-phrase.
You will be prompted for a passphrase which is used to encrypt the private key. By default, the private key is stored in ~/. ssh/id_rsa and the public key is stored in ~/. ssh/id_rsa.
The passphrase is just a key used to encrypt the file that contains the RSA key, using a symmetric cipher (usually DES or 3DES). In order to use the key for public-key encryption, you first need to decrypt its file using the decryption key. ssh does this automatically by asking your for the passphrase.
Passphrase is preferred over Private key because of its logic and it is easy to read, easy to remember, can be easily noted on paper. You can use Passphrase to regenerate your Private Key. A Passphrase can create wallets containing multiple Private Keys. Passphrase has control over all your Private Keys.
ssh-keygen uses OpenSSL to generate RSA keys and store it in PEM format. The encryption you are talking about is specific to PEM. If you look at your key file,
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,5B01E932988DC66B EPESt4ZVIrxnQXxxWWVa7cCR+vgNZ/4vTu4mdq6pjaW7jMZoB8HV+mA745mQkQw7 i+YtdVs/JqOeyGiw/3McxYYKZTlhyh7MvfIr1n8ZdZmcjQz+oFqMxChFU3r8BGgA "DEK-Info" header has all the information you need to decrypt the key as long as you know the passphrase. "DES-EDE3-CBC" means Triple DES (in EDE mode). CBC is the chaining mode. The hex number is the initial vector needed for CBC.
PEM is a very old format so it only supports DES/TripleDES. AES and Blowfish were added later on but not supported by all implementations. My ssh (OpenSSH 5.2) only supports DES and TripleDES.
136
The passphrase is just a key used to encrypt the file that contains the RSA key, using a symmetric cipher (usually DES or 3DES). In order to use the key for public-key encryption, you first need to decrypt its file using the decryption key. ssh does this automatically by asking your for the passphrase.
If somebody got a hold of the key's file, they wouldn't be able to use it unless they knew the passphrase used to encrypt the file.
24
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
