Check if Private Key is password protected using Bash

Question

I'm looking for a way using a Bash script to detect whether a Private Key file is password protected or not.

I would believe this is possible using OpenSSL using the following command:

openssl rsa -in privkey.pem -check -noout

If I run that I am either presented with "RSA Key ok"(if the private key doesn't have a password set) or a prompt asking me to enter the password (password is set).

Ok, so clearly OpenSSL is detecting there is or isn't a password set on the private key file. I don't want to enter the password or have the user see that, I just want a a simple true/false if a password is set or not so my Bash script can handle that appropriately, ie prompt the user later on to provide the password in another way.

EDIT:

I'm adding more info here because what I am trying to achieve is something a bit different:

I'm scanning over a directory of files (presumed a certificate bundle) and using the bash script to determine the type of each file.

I need to detect the Private Key file and identify it as such, but then I need to separately determine whether a password has been set on it or not.

openssl rsa -check -in $FILE &> /dev/null
if [ $? -eq 0 ]; then
   echo -n "Detected Private Key"
   openssl rsa -check -in $FILE -passin pass:1234 &> /dev/null
   if [ $? -ne 0 ]; then
       echo " WITH password"
   else
       echo " WITHOUT password"
   fi
fi

The issue I'm having is in my first check I'm using the Key check to see if the file is or isn't a key, but when that check stumbles on a a Key with a password I get prompted to enter the password.

If I pass the -passin option as part of that first check I get a pass/fail but from that pass/fail I cannot determine whether the failure is because there was a password set on the key file or if the keyfile is not a keyfile at all.

I'm trying to build a script that will allow a user to just drop a cert bundle into a folder and have the script sort out what format the files are in and convert them appropriately.

Answer 1

You can pass a fake password in the command, if the key has no password it will return 0, otherwise the key has a password:

openssl rsa -check -in privateKey-enc.key -passin pass:1234 &> /dev/null

echo $?

EDIT:

Maybe the explanation below is not the best one, but, right now, it might help you.

By default the key file have a standard, if you check the first line (head -1 ), you can see the content is different.

When the key is password-protected the first line is something like:

-----BEGIN ENCRYPTED PRIVATE KEY-----

• five dashes -----

instead:

-----BEGIN PRIVATE KEY-----

You can check this and solve your problem without openssl command:

check=$(grep "PRIVATE" $FILE &> /dev/null)
if [ $? -eq 0 ]
then
  checkPass=$(grep "ENCRYPTED" $FILE &> /dev/null)
  if [ $? -eq 0 ]
  then
    echo "Private key with password"
  else
    echo "Private Key without password"
  fi
else
  echo "No private key detected"
fi

PS. You can do this same check comparing output error of openssl -check command.