Categories
SysOps

How to create and encrypt RSA or EC private key

Create and encrypt RSA or EC private key using dedicated utilities.

RSA private key

Create encrypted RSA private key.

$ openssl genrsa -aes256 -passout pass:keypass -out rsa_pkey_enc_genrsa.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..........+++++
...............................+++++
e is 65537 (0x010001)

Inspect created RSA private key.

$ cat rsa_pkey_enc_genrsa.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,0ED118982947FBEF82EECB9F61224462

jlp1g1XdAeZDCB4b9/rKfZO/Q2ys09cJUtcZjLCRPp6DZb/4KdUp75N8G3Pok4Qz
pbyQUxzQCc/wezmZLKV/lgc82/VK/oGDvL7SrgzDIjlLf/3bsrnwRF1r2Z0FskZZ
caRF5G5tXM6AEhaSV+XupYzNmMfj2mB7+9z6KCBn0WR8ghycAZuDjZHRXD7i8TzE
KpRoP1TohA5SVd08TTGcc9/KCu6eEVGcBBq3yjmyaj7QLA2urKrb+HgUs5zfeN4l
AJKg1OV+Ke/1DTgjjgQHhXlIqRTLlOPSCscBdfgNJ19ytFLswJaKvMsOIm9R1kJK
BmY9vuuLVfsgZ27y0ZzMp6YKuL6a4SJNIdQ60BDTAzJ3cQ0lSnzJlzvAGEmQX8GQ
46hMyp+FGPEiZ5na7DJ7/zzLyHjkoaYIn2HMqn6vIG+maG/fn4W54GvLMFb111Y4
Lz2EDuWA68ais0cCCPAUbowiX/TplH+J8CywbXbqPcpfms6M5bePl7EnGI1eWCR9
6vlNUNX6Ct+bkbDr3U9J3c+WwCqoPcW4kv5OklX9chueHQtCzSMyZDHiMAl+eF0k
JLtCTBuKhMQ1l3HiHxKYNOwaCu+UoOJjttRJVbaXqenhCmD+IgCHK4O50P19r/V/
wAXAZwpD5JEdwpqRaEeYgK2y8bJx8e//1h9dk/k7AxwA4vBPTjVCaWOSlsG0fOM5
4LKV/dJauQ+V3c2I01ynegDU3s89MjQMsiHYWU58ymGw1B90jkinH4zIOspijyWb
M3bmUaHPUbYz3lNsE/+wToG+zPl++w0X/YFW+X3T7Wz6ZUm9CKdfdbbV3scaHRdf
0TZDwh+daVjtR1Z9GV7egY0hIMUMQsyN2KzgH8c7EEva4g1bevKTm9MOcceLQOOu
/b9L/9P4L4rbghf2ISYN8mWSHU2nzWvJVAo9wX4HAZQnqhWJprsBUZfD8qjUUakK
70DrfSm1zXXLw1x/fo+EFyVn6mT7pDlTCTBA2HWIRizK42BNOoTK8yMzdfMJ8c6A
RbG1HS68IlppGZrHsJxnruP0SRpUbAozG56ULmzKVjsG/RMdylFR2JFJcpjikVQD
beMX39mOCRyiJvzfYWV17efgxL9ME6kHhXseXsyDN/ZZrWDhijnryx1y6+OHXUuv
ZMfIm4Zcm4tXpPwoSWvZw3z8R79ssddaKClAIwn2aXfcOdA8K2CeDVDH57h8QE6X
PNmenNEfqzoiSAZEHcxogJEAoRSxpRfnkQrpNZ6GQ0n1XbVzea3+UmEewNw950gs
4C5ZAzQG+5YiS5WKvY+0DNOVpQD2EbZV8eXS4g6ZQoGot01uHRqisjyyTIojJgo7
WdTIAf/lKNtiDHv2WRPr7TQDR7mPi716Uhs5lb+kSTeTM/ilverab7v2yzEhRb+G
XzuAoTQ6ke8zv7Fd8SfpLYu/7UDFyFZxnriscQHr/2lv9Pv8fvrm2NT+4hCDTGB/
qqzu9Re0wmkOEQmUmd5+H7kqoRaZcu94BvsrWmmxkPJ5l3e5tzYXDfArqXCDZgxg
gbDKML1nWh57GkMfyzI3/Q/5PV2t5imzU2O+ipvEdanfn45pxTuVqIr/XUdAJMnf
-----END RSA PRIVATE KEY-----

Create an unencrypted RSA private key.

$ openssl genrsa -out rsa_pkey_unenc_genrsa.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.............+++++
.....................+++++
e is 65537 (0x010001)

Inspect created RSA private key.

$ cat rsa_pkey_unenc_genrsa.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA1X9FdsiYNn/cJXmaLWtKUjRO9ovbKSD6IVfgSOdqvF2xUoYs
zKua2yTr/H1R0wJqkAxmWhwCGd516qQrYlhhlT7fkE1RindKhH11fjZFwToY65eh
7U4QXy6TIpvcqhFNHoJznajw7q4Ybm+a0S0G8AP7ckL54Z/nQHisjYN7+UDFnowg
3CvAsB9vvj8BjOJA2Lnax9S2AL7AUL7vlRj1+Jgw1ngmlg0gH+/YVkwV2zqYzxik
yZKAhWvy9pHpFy9PcgAxP9s38CmQ50VSyz/pkXrqWl0ML5zAnEY9919y8K3GQBPW
R5vAIRW8n8LlJCYFfAOpHSGpBiUAD4nnZTzaGwIDAQABAoIBAQCRsg0Bhtr5NkBS
Aq5ImJNbjf7lGYQyiSKpZoLUvbiFW5sLKi2gbut66bNx10PjsB5wt0WR8NMuPDZU
Ljy9HHtbklCW9WzUBZyA1e08eGUZ/D/NZulGPKPHkM0wLRVlqfDrBTNJQGVLPNvH
YbpRTV0SpmUOEM7ePnVd9fwrhrMv4Nenmv4M73CqTEF4SiIVbnelEluil7T+IRCT
qILAs79aDEXtEa3TnwrzGw9a0S2eFG3t8OnApKHRcbY2IVqbNqORPQdbpdTEvCzi
ZFEkua1rL4GZLgvOdG7rAfCd751GniCiJIPAFeH6mBHI5+ciQinlgOKQhKgDkqhw
OBX9SQmBAoGBAP9b8LoxInt2WKth+IXQjSM5kDQd2GbKDJcVmRZMEysZBETb0Eho
ESoB8DeOFZtumomOe5+c77oYbr9CFbM/XozgIBWcBuhBb9pwYwxgDkti0e+zeHih
X7H1mi9P9XaiW8cMfXmw5Z0vJpp4hSC7Pmf2+jaT8yHRPS+c9vuBGkcxAoGBANYI
b6Mo4wxAIuEADXVxF9cDXfEAd6zkvUvBCY71O15noL5isoVV9KSSgTSKwcZf4iMo
iI2OjF5lu9X+HwT60Pkb19ysEKmmKC02Dvh/au/qflHEaGfj3jyyteG7lYPt0TA4
Y5FKtdmVZlPmksegMO1n2fvP6XKq60V/jY0YC7sLAn8t4ldfHXUUui80nGYLpW22
5qECvFomHigk/byERScsl1ItDVJfsFNlOPPxB5baVwVtsiyEga6RwdIki7taegiD
R8J8H40eLqPqnEcv8hKfeSI/7/+1rUmEsJ0D41o39vSGz7e8Jg0cMVy+ZOmG+B4+
kCJlrDAD45Ua+RloF8qhAoGBAK2idGbKMb/rfCBKuaBwGiYNjjWI6o2xl7wQI5/9
ZKeGrEonqaov/GNSk0070E4N1VgudvFYFpoyMDs/iIyyqbueEfXtBSuMJ4XeGDES
tX9jHg1ZqFW378AQPyuc0YQQ96cF6AijsnmNEVG5eZRHacn/eUEm/71N2cYs33n6
avHXAoGBAKLhGKG/nk8+AmAYonFWdtfufxdJ27HI7MyNmUq9/1fQ22+jkHUqSEx/
BKaC2Hmv27Wc1xywuS7PFigoXo+1w58mrbBjQtEl/5dWAUx7Fc6G+8VXyPwAjKhd
R3bMPc+Ppm9fWlDQuNA+XjOPbeUO56sqJXXyBRjrk/3JW542ef4V
-----END RSA PRIVATE KEY-----

Encrypt private key using RSA key processing tool.

$ openssl rsa -aes256 -in rsa_pkey_unenc_genrsa.pem -passout pass:keypass -out rsa_pkey_enc_rsa.pem
writing RSA key

Inspect created RSA key.

$ cat rsa_pkey_enc_rsa.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,56EDBB1344492CE30FC97C89603F95AE

QJZxjOlrfv/eRrJHeCAY6aY4Lrs7rrSE+5EhZkCLusOpK4vZNZe/HnMGJ30sakkP
tZPeqAP0cZER0bNG4/51fhiShOs2glMaNBaFxr1WYPtY892epdHd8rXf7PwQ6uMS
KT2REhp0sCMzxtMBgduNMf/7NiYrWT8H8YbzfG4N9+gncXf2k+MUx68+1smILccx
uQfHN+nWOdhiQDN0JX2urnl7O15usGlTXGOxeSjGPQ9bcb5bPKxitjJMgOoyJjJR
GnaiJLNwDLWQPdXf16ZMMTKOPY0+G+yDMefrzyDGUkIUGByi/OPsyvZMLKseyDUN
L0pKwz14hrmLc7tUL0uUfMfuwEPINHwd9fi2VvmtzIY4zXjZMB2nqbn7LZ9p+ygB
wiYn/CH940FziSIWelVOD4MHFPt4FtBlJa1O/r8WVAGMQTtibO4OL/3RHOUEM62Q
MR/VKSVp10QO/SpsOMU3IT/xJTpiQqme8Qe8yYD3hG9qnGIZWnyhqxNKcd80ss/F
nzjW67iviBs98C9N0DSFVAMkVy0pWTcYw/NUP1EJjWJLo9RKvJBbGytteKosoEF5
yC3OUnmnY9nxjp7SHUiySihHd4ysLKN6S4HMDd4l2I5bFH3DhMDRVV9leOnOhuCt
u68rlCbAq+yMpRW397eShW/eIJTHPsfbuJv2MZ/yphqQjXw93VKKAAqbMj/UCFID
l+hftxsOoHwJaVMxkNqRD2L9IwM83ml7j9v0jSrKvkTjwc3zd7y1FQu+hd9lij8x
P2gWxub8+odMe9KhHDiOBgHU0tidbMcXFt+LFY1RWaYBhjkkEHcEvmVlzBDG8U6k
twUzKzNQ2N3pwMpvmSinVd9DaK5svA7jiUQW3JQIuC5njUJd1Naq4zIbAxOs5xsO
tqPl9ziRQ9kWQBCyEgvrxXurXmcZ99Dku2UGPSUdmZLo6tUbinBY3cd8tgooTzjQ
kuHS1rc1AH9Jc1qJA//zSs6Hdtke+S9ssefTZuE1/kOgLJiIg02ZKg3z5BgzkVji
1e8zjzVF8W/ULeQLGFT3jX2z1g5cQnIXNM7ZPp+ecHelBOsye36tmFCpVD5FiHSa
/72+1GTVzO+/5g9WmYJcVcQn6nqpBdtRsiErIkZqCAKcn3dRbwcVJOo1Cm25Sylm
dBy+WBPK83YtNpiSjPuuaJ8RgQJv1H/5lE0zy26w6XYs789yq0lwwY31p/6azmCP
du6iQh43b5NnzscQm1KP5GptQXuAU3ILYGJ7jAwazK48ipdMSvNZp+HOAcH3JAy8
R1bZsGJj5tNWYPs7R1ydPlKe1guyUkJQy256ibDbiVHfkSxkTZRM1GRkMdr05k5h
We2REKfEUkV0JqaNaTRJJMY10uqZPOrvZHKVsVh6Ks5ngAILLu53lVAl6guAD5EG
ICQMWA7mHA1xZXSFBlO4GNUyFkb+fOlQWBCRqaSHiL2gVNa6VGfMjWqmjvF/ZALp
G8BbgrNDln5CUKQDeEExcdzTXHY/xqXe09Bs/MppWNMHRiCZC1vvZaCuAEltvg5d
XLdjd7aYYU1GIcam0eB84zVL5yjocnDdZoM9xAoi1rZfTIWIyvBcKxU9FlF0N+2P
-----END RSA PRIVATE KEY-----

Reverse whole operation.

$ openssl rsa -in rsa_pkey_enc_rsa.pem -out rsa_pkey_unenc_genrsa.pem -passin pass:keypass
writing RSA key

EC private key

Create an unencrypted EC private key as there is no option to encrypt it using this OpenSSL command.

$ openssl ecparam -name prime256v1 -genkey -noout -out ec_pkey_unenc_ecparam.pem

Inspect created EC private key.

$ cat ec_pkey_unenc_ecparam.pem
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIATuHGFIeLWRXBs5KQqoVhttt1X/wlw7eMzOsLLaCgcKoAoGCCqGSM49
AwEHoUQDQgAEIG1WRAfCCCoG7eejCwShtLOUs2rsGtdlvyomH14+TyqEFNnf6pQs
RYqcuBfS0ES01ef/31nv3MQKgqC6WnWLgA==
-----END EC PRIVATE KEY-----

Encrypt existing EC private key.

$ openssl ec -aes256 -in ec_pkey_unenc_ecparam.pem -out ec_pkey_enc_ec.pem -passout pass:keypass
read EC key
writing EC key

Inspect encrypted EC private key.

$ cat ec_pkey_enc_ec.pem 
-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,CBEFB7789D8B90ED505A814916ACB544

3hVRKr5PkbT2pGMD4v8PMq0VfulCmDYg0qdWdty3MEIQ+KwfcrHH3LOq+TG0q3ud
A+lvjjAu94IQHo+mQvSl/xTF3BsQG/9SYc6A/YyI9v73Nr2MHCf7GA0ZkMu70AFS
PS+hH8wQ2ZHXDjOphQN4t0FYSfBkfySiuXr5mamSpMo=
-----END EC PRIVATE KEY-----

Reverse whole operation.

$ openssl ec -in ec_pkey_enc_ec.pem -out ec_pkey_unenc_ecparam.pem -passin pass:keypass
read EC key
writing EC key