Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to generate an openSSL key using a passphrase from the command line?

Tags:

openssl

If you don't use a passphrase, then the private key is not encrypted with any symmetric cipher - it is output completely unprotected.

You can generate a keypair, supplying the password on the command-line using an invocation like (in this case, the password is foobar):

openssl genrsa -aes128 -passout pass:foobar 3072

However, note that this passphrase could be grabbed by any other process running on the machine at the time, since command-line arguments are generally visible to all processes.

A better alternative is to write the passphrase into a temporary file that is protected with file permissions, and specify that:

openssl genrsa -aes128 -passout file:passphrase.txt 3072

Or supply the passphrase on standard input:

openssl genrsa -aes128 -passout stdin 3072

You can also used a named pipe with the file: option, or a file descriptor.

To then obtain the matching public key, you need to use openssl rsa, supplying the same passphrase with the -passin parameter as was used to encrypt the private key:

openssl rsa -passin file:passphrase.txt -pubout

(This expects the encrypted private key on standard input - you can instead read it from a file using -in <file>).

Example of creating a 3072-bit private and public key pair in files, with the private key pair encrypted with password foobar:

openssl genrsa -aes128 -passout pass:foobar -out privkey.pem 3072
openssl rsa -in privkey.pem -passin pass:foobar -pubout -out privkey.pub

genrsa has been replaced by genpkey

The use of the genpkey program is encouraged over the algorithm specific utilities because additional algorithm options and ENGINE provided algorithms can be used.

genpkey allows you to generate the following key types:

  • RSA RSA-PSS EC X25519 X448 ED25519 ED448

When run manually in a terminal it will prompt for a password:

openssl genpkey -aes-256-cbc -algorithm RSA -out /etc/ssl/private/key.pem -pkeyopt rsa_keygen_bits:4096

However when run from a script the command will not ask for a password so to avoid the password being viewable as a process use a function in a shell script:

get_passwd() {
    local passwd=
    echo -ne "Enter passwd for private key: ? "; read -s passwd
    openssl genpkey -aes-256-cbc -pass pass:$passwd -algorithm RSA -out $PRIV_KEY -pkeyopt rsa_keygen_bits:$PRIV_KEYSIZE
}

Related questions

Creating self signed certificate for domain and subdomains - NET::ERR_CERT_COMMON_NAME_INVALID
How to encrypt a large file in openssl using public key
Update OpenSSL on OS X with Homebrew
openssl s_client using a proxy
OpenSSL Verify return code: 20 (unable to get local issuer certificate)
How to read .pem file to get private and public key
Generating cryptographically secure tokens
"Public key certificate and private key doesn't match" when using Godaddy issued certificate [closed]
Running Openssl from a bash script on windows - Subject does not start with '/'
is it possible making openssl skipping the country/common name prompts?
OpenSSL: unable to verify the first certificate for Experian URL
Authentication failed because remote party has closed the transport stream
Git for Windows: SSL certificate problem: certificate has expired
OpenSSL hangs during PKCS12 export with "Loading 'screen' into random state"
How to convert a private key to an RSA private key?
SSL Error: unable to get local issuer certificate
Unable to load Private Key. (PEM routines:PEM_read_bio:no start line:pem_lib.c:648:Expecting: ANY PRIVATE KEY) [closed]
OpenSSL: PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE [closed]
What is the purpose of the -nodes argument in openssl?
Load RSA public key from file

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!