Create and encrypt RSA or EC private key using dedicated utilities.
RSA private key
Create encrypted RSA private key.
$ openssl genrsa -aes256 -passout pass:keypass -out rsa_pkey_enc_genrsa.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes) ..........+++++ ...............................+++++ e is 65537 (0x010001)
Inspect created RSA private key.
$ cat rsa_pkey_enc_genrsa.pem
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-256-CBC,0ED118982947FBEF82EECB9F61224462 jlp1g1XdAeZDCB4b9/rKfZO/Q2ys09cJUtcZjLCRPp6DZb/4KdUp75N8G3Pok4Qz pbyQUxzQCc/wezmZLKV/lgc82/VK/oGDvL7SrgzDIjlLf/3bsrnwRF1r2Z0FskZZ caRF5G5tXM6AEhaSV+XupYzNmMfj2mB7+9z6KCBn0WR8ghycAZuDjZHRXD7i8TzE KpRoP1TohA5SVd08TTGcc9/KCu6eEVGcBBq3yjmyaj7QLA2urKrb+HgUs5zfeN4l AJKg1OV+Ke/1DTgjjgQHhXlIqRTLlOPSCscBdfgNJ19ytFLswJaKvMsOIm9R1kJK BmY9vuuLVfsgZ27y0ZzMp6YKuL6a4SJNIdQ60BDTAzJ3cQ0lSnzJlzvAGEmQX8GQ 46hMyp+FGPEiZ5na7DJ7/zzLyHjkoaYIn2HMqn6vIG+maG/fn4W54GvLMFb111Y4 Lz2EDuWA68ais0cCCPAUbowiX/TplH+J8CywbXbqPcpfms6M5bePl7EnGI1eWCR9 6vlNUNX6Ct+bkbDr3U9J3c+WwCqoPcW4kv5OklX9chueHQtCzSMyZDHiMAl+eF0k JLtCTBuKhMQ1l3HiHxKYNOwaCu+UoOJjttRJVbaXqenhCmD+IgCHK4O50P19r/V/ wAXAZwpD5JEdwpqRaEeYgK2y8bJx8e//1h9dk/k7AxwA4vBPTjVCaWOSlsG0fOM5 4LKV/dJauQ+V3c2I01ynegDU3s89MjQMsiHYWU58ymGw1B90jkinH4zIOspijyWb M3bmUaHPUbYz3lNsE/+wToG+zPl++w0X/YFW+X3T7Wz6ZUm9CKdfdbbV3scaHRdf 0TZDwh+daVjtR1Z9GV7egY0hIMUMQsyN2KzgH8c7EEva4g1bevKTm9MOcceLQOOu /b9L/9P4L4rbghf2ISYN8mWSHU2nzWvJVAo9wX4HAZQnqhWJprsBUZfD8qjUUakK 70DrfSm1zXXLw1x/fo+EFyVn6mT7pDlTCTBA2HWIRizK42BNOoTK8yMzdfMJ8c6A RbG1HS68IlppGZrHsJxnruP0SRpUbAozG56ULmzKVjsG/RMdylFR2JFJcpjikVQD beMX39mOCRyiJvzfYWV17efgxL9ME6kHhXseXsyDN/ZZrWDhijnryx1y6+OHXUuv ZMfIm4Zcm4tXpPwoSWvZw3z8R79ssddaKClAIwn2aXfcOdA8K2CeDVDH57h8QE6X PNmenNEfqzoiSAZEHcxogJEAoRSxpRfnkQrpNZ6GQ0n1XbVzea3+UmEewNw950gs 4C5ZAzQG+5YiS5WKvY+0DNOVpQD2EbZV8eXS4g6ZQoGot01uHRqisjyyTIojJgo7 WdTIAf/lKNtiDHv2WRPr7TQDR7mPi716Uhs5lb+kSTeTM/ilverab7v2yzEhRb+G XzuAoTQ6ke8zv7Fd8SfpLYu/7UDFyFZxnriscQHr/2lv9Pv8fvrm2NT+4hCDTGB/ qqzu9Re0wmkOEQmUmd5+H7kqoRaZcu94BvsrWmmxkPJ5l3e5tzYXDfArqXCDZgxg gbDKML1nWh57GkMfyzI3/Q/5PV2t5imzU2O+ipvEdanfn45pxTuVqIr/XUdAJMnf -----END RSA PRIVATE KEY-----
Create an unencrypted RSA private key.
$ openssl genrsa -out rsa_pkey_unenc_genrsa.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes) .............+++++ .....................+++++ e is 65537 (0x010001)
Inspect created RSA private key.
$ cat rsa_pkey_unenc_genrsa.pem
-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEA1X9FdsiYNn/cJXmaLWtKUjRO9ovbKSD6IVfgSOdqvF2xUoYs zKua2yTr/H1R0wJqkAxmWhwCGd516qQrYlhhlT7fkE1RindKhH11fjZFwToY65eh 7U4QXy6TIpvcqhFNHoJznajw7q4Ybm+a0S0G8AP7ckL54Z/nQHisjYN7+UDFnowg 3CvAsB9vvj8BjOJA2Lnax9S2AL7AUL7vlRj1+Jgw1ngmlg0gH+/YVkwV2zqYzxik yZKAhWvy9pHpFy9PcgAxP9s38CmQ50VSyz/pkXrqWl0ML5zAnEY9919y8K3GQBPW R5vAIRW8n8LlJCYFfAOpHSGpBiUAD4nnZTzaGwIDAQABAoIBAQCRsg0Bhtr5NkBS Aq5ImJNbjf7lGYQyiSKpZoLUvbiFW5sLKi2gbut66bNx10PjsB5wt0WR8NMuPDZU Ljy9HHtbklCW9WzUBZyA1e08eGUZ/D/NZulGPKPHkM0wLRVlqfDrBTNJQGVLPNvH YbpRTV0SpmUOEM7ePnVd9fwrhrMv4Nenmv4M73CqTEF4SiIVbnelEluil7T+IRCT qILAs79aDEXtEa3TnwrzGw9a0S2eFG3t8OnApKHRcbY2IVqbNqORPQdbpdTEvCzi ZFEkua1rL4GZLgvOdG7rAfCd751GniCiJIPAFeH6mBHI5+ciQinlgOKQhKgDkqhw OBX9SQmBAoGBAP9b8LoxInt2WKth+IXQjSM5kDQd2GbKDJcVmRZMEysZBETb0Eho ESoB8DeOFZtumomOe5+c77oYbr9CFbM/XozgIBWcBuhBb9pwYwxgDkti0e+zeHih X7H1mi9P9XaiW8cMfXmw5Z0vJpp4hSC7Pmf2+jaT8yHRPS+c9vuBGkcxAoGBANYI b6Mo4wxAIuEADXVxF9cDXfEAd6zkvUvBCY71O15noL5isoVV9KSSgTSKwcZf4iMo iI2OjF5lu9X+HwT60Pkb19ysEKmmKC02Dvh/au/qflHEaGfj3jyyteG7lYPt0TA4 Y5FKtdmVZlPmksegMO1n2fvP6XKq60V/jY0YC7sLAn8t4ldfHXUUui80nGYLpW22 5qECvFomHigk/byERScsl1ItDVJfsFNlOPPxB5baVwVtsiyEga6RwdIki7taegiD R8J8H40eLqPqnEcv8hKfeSI/7/+1rUmEsJ0D41o39vSGz7e8Jg0cMVy+ZOmG+B4+ kCJlrDAD45Ua+RloF8qhAoGBAK2idGbKMb/rfCBKuaBwGiYNjjWI6o2xl7wQI5/9 ZKeGrEonqaov/GNSk0070E4N1VgudvFYFpoyMDs/iIyyqbueEfXtBSuMJ4XeGDES tX9jHg1ZqFW378AQPyuc0YQQ96cF6AijsnmNEVG5eZRHacn/eUEm/71N2cYs33n6 avHXAoGBAKLhGKG/nk8+AmAYonFWdtfufxdJ27HI7MyNmUq9/1fQ22+jkHUqSEx/ BKaC2Hmv27Wc1xywuS7PFigoXo+1w58mrbBjQtEl/5dWAUx7Fc6G+8VXyPwAjKhd R3bMPc+Ppm9fWlDQuNA+XjOPbeUO56sqJXXyBRjrk/3JW542ef4V -----END RSA PRIVATE KEY-----
Encrypt private key using RSA key processing tool.
$ openssl rsa -aes256 -in rsa_pkey_unenc_genrsa.pem -passout pass:keypass -out rsa_pkey_enc_rsa.pem
writing RSA key
Inspect created RSA key.
$ cat rsa_pkey_enc_rsa.pem
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-256-CBC,56EDBB1344492CE30FC97C89603F95AE QJZxjOlrfv/eRrJHeCAY6aY4Lrs7rrSE+5EhZkCLusOpK4vZNZe/HnMGJ30sakkP tZPeqAP0cZER0bNG4/51fhiShOs2glMaNBaFxr1WYPtY892epdHd8rXf7PwQ6uMS KT2REhp0sCMzxtMBgduNMf/7NiYrWT8H8YbzfG4N9+gncXf2k+MUx68+1smILccx uQfHN+nWOdhiQDN0JX2urnl7O15usGlTXGOxeSjGPQ9bcb5bPKxitjJMgOoyJjJR GnaiJLNwDLWQPdXf16ZMMTKOPY0+G+yDMefrzyDGUkIUGByi/OPsyvZMLKseyDUN L0pKwz14hrmLc7tUL0uUfMfuwEPINHwd9fi2VvmtzIY4zXjZMB2nqbn7LZ9p+ygB wiYn/CH940FziSIWelVOD4MHFPt4FtBlJa1O/r8WVAGMQTtibO4OL/3RHOUEM62Q MR/VKSVp10QO/SpsOMU3IT/xJTpiQqme8Qe8yYD3hG9qnGIZWnyhqxNKcd80ss/F nzjW67iviBs98C9N0DSFVAMkVy0pWTcYw/NUP1EJjWJLo9RKvJBbGytteKosoEF5 yC3OUnmnY9nxjp7SHUiySihHd4ysLKN6S4HMDd4l2I5bFH3DhMDRVV9leOnOhuCt u68rlCbAq+yMpRW397eShW/eIJTHPsfbuJv2MZ/yphqQjXw93VKKAAqbMj/UCFID l+hftxsOoHwJaVMxkNqRD2L9IwM83ml7j9v0jSrKvkTjwc3zd7y1FQu+hd9lij8x P2gWxub8+odMe9KhHDiOBgHU0tidbMcXFt+LFY1RWaYBhjkkEHcEvmVlzBDG8U6k twUzKzNQ2N3pwMpvmSinVd9DaK5svA7jiUQW3JQIuC5njUJd1Naq4zIbAxOs5xsO tqPl9ziRQ9kWQBCyEgvrxXurXmcZ99Dku2UGPSUdmZLo6tUbinBY3cd8tgooTzjQ kuHS1rc1AH9Jc1qJA//zSs6Hdtke+S9ssefTZuE1/kOgLJiIg02ZKg3z5BgzkVji 1e8zjzVF8W/ULeQLGFT3jX2z1g5cQnIXNM7ZPp+ecHelBOsye36tmFCpVD5FiHSa /72+1GTVzO+/5g9WmYJcVcQn6nqpBdtRsiErIkZqCAKcn3dRbwcVJOo1Cm25Sylm dBy+WBPK83YtNpiSjPuuaJ8RgQJv1H/5lE0zy26w6XYs789yq0lwwY31p/6azmCP du6iQh43b5NnzscQm1KP5GptQXuAU3ILYGJ7jAwazK48ipdMSvNZp+HOAcH3JAy8 R1bZsGJj5tNWYPs7R1ydPlKe1guyUkJQy256ibDbiVHfkSxkTZRM1GRkMdr05k5h We2REKfEUkV0JqaNaTRJJMY10uqZPOrvZHKVsVh6Ks5ngAILLu53lVAl6guAD5EG ICQMWA7mHA1xZXSFBlO4GNUyFkb+fOlQWBCRqaSHiL2gVNa6VGfMjWqmjvF/ZALp G8BbgrNDln5CUKQDeEExcdzTXHY/xqXe09Bs/MppWNMHRiCZC1vvZaCuAEltvg5d XLdjd7aYYU1GIcam0eB84zVL5yjocnDdZoM9xAoi1rZfTIWIyvBcKxU9FlF0N+2P -----END RSA PRIVATE KEY-----
Reverse whole operation.
$ openssl rsa -in rsa_pkey_enc_rsa.pem -out rsa_pkey_unenc_genrsa.pem -passin pass:keypass
writing RSA key
EC private key
Create an unencrypted EC private key as there is no option to encrypt it using this OpenSSL command.
$ openssl ecparam -name prime256v1 -genkey -noout -out ec_pkey_unenc_ecparam.pem
Inspect created EC private key.
$ cat ec_pkey_unenc_ecparam.pem
-----BEGIN EC PRIVATE KEY----- MHcCAQEEIATuHGFIeLWRXBs5KQqoVhttt1X/wlw7eMzOsLLaCgcKoAoGCCqGSM49 AwEHoUQDQgAEIG1WRAfCCCoG7eejCwShtLOUs2rsGtdlvyomH14+TyqEFNnf6pQs RYqcuBfS0ES01ef/31nv3MQKgqC6WnWLgA== -----END EC PRIVATE KEY-----
Encrypt existing EC private key.
$ openssl ec -aes256 -in ec_pkey_unenc_ecparam.pem -out ec_pkey_enc_ec.pem -passout pass:keypass
read EC key writing EC key
Inspect encrypted EC private key.
$ cat ec_pkey_enc_ec.pem
-----BEGIN EC PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-256-CBC,CBEFB7789D8B90ED505A814916ACB544 3hVRKr5PkbT2pGMD4v8PMq0VfulCmDYg0qdWdty3MEIQ+KwfcrHH3LOq+TG0q3ud A+lvjjAu94IQHo+mQvSl/xTF3BsQG/9SYc6A/YyI9v73Nr2MHCf7GA0ZkMu70AFS PS+hH8wQ2ZHXDjOphQN4t0FYSfBkfySiuXr5mamSpMo= -----END EC PRIVATE KEY-----
Reverse whole operation.
$ openssl ec -in ec_pkey_enc_ec.pem -out ec_pkey_unenc_ecparam.pem -passin pass:keypass
read EC key writing EC key