Categories
SysOps

How to create and encrypt RSA or EC private key using general utilities

Create and encrypt RSA or EC private key using general utilities. There are multiple possibilities, so let me sum it up.

genpkey

The genpkey command can be used to generate a private key.

Generate an unencrypted RSA private key.

$ openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out rsa_pkey_unenc_genpkey.pem
..............+++++
..+++++
$ cat rsa_pkey_unenc_genpkey.pem
-----BEGIN PRIVATE KEY-----
MIIEugIBADANBgkqhkiG9w0BAQEFAASCBKQwggSgAgEAAoIBAQDIBkKBy5F6pPIV
/dG37YQZ6NnCLSsk/6vEDS9NyU5g2vkUn+rgQZ1Xn3VRzSdf2hltf4Lld+3dL/Yu
dJtCxKxCYVR2PPYuhBCFrY5Xi48ojcEfavAXhbM4QDhvh5VhZZAjgK7kqcT+NC/j
LvH/PYKjhlwsJ5mRx0yrcHR0O4pV9ZiJwloHJFwHfa6q0LHEWwdu4rxRacC6UKjb
/Xw2JkcoEKMejNctuSEfoVyIVt+c92vMi3BvjoiozmB1FblDTkSmDWPUsxCrywZm
9f4FGFUKVItYB9zBwYgNamIXuJ4r42DjFc4S/27TgvxAqZ+BKC0Mc7KTSTNAluXD
bspvHWRhAgMBAAECggEATKNJXB25EbqdHpvvfH8+fAbhWCqiOzzSfP1oQG9+3lFH
2gUjouTA+k+YTc1C5tDTqUaPyofW1UaJFmeLDVv5fD16dQsKb+wdwHos7ZIFOc6G
ThlVAE4zyrugY+sY6wZU4aVuXSJG3fb02iCki9zvbuQN8MUDa/1mfNFLbTVa3W/b
VzCDdQQ4+s3ALWGoxztklR2Ia+AqW3zPf+Y74BV2X1fZUp5wT64oe1Z2dXGXc89E
YTf5ru9dYbL3IMIyFYnah0hNbouteu8M4XWfQmk6a/1eee3IJhgrgGagWDYD7R0Z
bvzxQkm42Ne6ghvBwLie2heK5+EMP6j/rNjIHm2KuQKBgQD/9pg5vjGpljVsvVCv
686rG4UTtlKzE9jH+wmHHnGb3leJi3tGbpCJEScMdgHnLUUxHaznL+ETHoeD7i/q
Jljc0vPrHyurlczZW/AGUIF1vucNBzaJMVZ4DdcRjMqYlrlY3V639WeRpYiWLObC
20XFr5zCAGJYGblWCiaXDToLSwKBgQDIDZwUsAto/Hqxbj716JLD3MEgjCiLuheb
GI9aogpIgl1wVJMoFQmjznaK6z5EVcXXvpYpbO7t2jQDK1oq9CNNrDTuESGQxqtV
BfDlqOFerkL0XLkU4rsEVEu3fBT8eiL4gSI8HExy+zNQi/WNtlseW7GYT2kRLckT
clG2j6W3gwKBgDcZwpNLmi1DpKSP7HqybH7xIaioqwzZzOTf6aEosJQ5PObjG9qB
mqOnCZzpGmfFmwuDs+DgsbcH72w7Lh1du+ttjgyjXSdGzB5OaFEzq2rJebuYPeky
scaOVCn3APXwHF5A6U74iR8VX13UtKhlw5NWxowMwR7uCrO246/IrSIZAn9c/faP
p0Wmh7aAw76AkJuob/VWK9CtItPWRJRejPQ6wF6u2KGPADh67H4uFSvcmAJfRziG
CR0Hc2a6EmzXiqTedi4ke9IeejsqSpiwKNCaMmbtMCzYiIxmdsi7gfI/aobW/S/s
wTrIN/yidGywcxPoCLeFFWTBl4bgg0N4mU1vAoGAHZqYIsCyXCtCwjtbtLKW89vH
jBxPbiFhw5cohl9rxEvAzYdu0mV5OX5XZjSeu4a9LV3OgRP2lOrbgYLPmFkFq07/
tkjHSGJDoEjdmIYQaDA/Tm8B6VKHx+47r8mlu0etSrbjCdOZ4NMZDI8XTnYVtcOg
DEbz50Z96knGnafgZSU=
-----END PRIVATE KEY-----

Generate encrypted RSA private.

$ openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -aes-256-cbc -pass pass:keypass -out rsa_pkey_enc_genpkey.pem
$ cat rsa_pkey_enc_genpkey.pem    
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIPEEe4tn1gy0CAggA
MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBDPCcpNhzQnLDgRMSTLqXfBBIIE
0JHtmfGK1kmr0oOVY6DJeuENraUGSvTT2SYpWY4POjKhxf2HSETlsehjtbP1cjBR
UYR3idyv9GzJnzsOOPmhRd5G1x29VoYK8ItpN5Jq+cHsFmeaSO1bowCPkk+VPZMw
r/SjNj0foGxcPKw6EWnf+v/QlTUWt6abRD4AMUxWp/FTLoiB86gs4ZuTZTO4cl23
ojGfTRYuzU7ya173j/VLnOMUDIaDrlmXcA8TWjp0FZKeMLtXM1xAb6iSCv+VdmtE
qH5hpdnM9xd9ty2uB6b4iARu6UT8qLh9O+RcjWkPShDlMCnnTqVKHWSaVYiVBZ0M
xt29BSWM6qxwMcyJYGqf4zOoREfJKWbl63E099nsC2HYj63n8eSeGQOZdtPbpLYZ
BvGaerJdrcLPhJsjRLglLif9tMcty0nIg14lNmHUOwObNGUqm3O+5EE7C7j4JGup
4Xt/Ex30aUa/hyLabyXSET4YHYyRMP1r2rXofXJBQW8KjFp/Fr7QxH2RF3eZXCxr
h+5s7U2vtIY6icAwSl58GYbV1pDjla6v4dbtufdWz2S18+2RkjCNQd6yBj/VAYNR
/HLpmKy9Gmd8wNQ4PIOvh+6ltvjKB+hRu+9ZtisqFK6QzLtapc8NdS3UNh49hYvG
Vuek6Ih9uC4gJlydk0LDS7k1rY8MkjggOAN55KINJECk5wuB1vHCeVLDDo93f7HU
H986NIqul/DbxBkePbsnGJvzEPbpSgDr+iMTiFRgmTMLbcgSIZCljSnVHK5y/8gi
WlntUgogSzdOVTfPIegR28A5c4Q8sGw5e/f5bgJsx2K8xFyZuNSRaT0tfRdVZfMi
JQiaGFo5KbAmh28q1xcuGFsud9/wH3nG9S3klWb7TrEXxWTGAcZh3ygl5fK8Rak1
BwoCqUblH7nehs5x4eHqJpqRTz5yyJAe5B5jn3d0muOAXlELS22nB20W7RjVX5Qk
EvOY3U4nujuyGPSpoQG7AqHHAa7r7QHY/7xLn2P5UlEZxJ43OWeZQ0QAhmp629r4
qRTir64CpvIHkv9Ft1zj8pP1XVw2KtgkJPZhRqAHP6EzsBlWQX6xdv5ei2IoZ9gi
2bUOUg7FrvzEN2WxvgdF6TDaWdl3Bzb1he5bKh3dtWiQ1o5BAjD5uzzfB53DwS3z
OFnN0GtoinGlEcNWZEU4dm0/Uqh7vz9I7mkQbAHkynleEDum7ZKZaigdbDkEaTSo
2+la9NAcrrkDuyPguQw6KWMkiKzRTDtXT5Y9JuQ0JLXBlIQ7nzCEVUAdA/U10I4T
j1elPNC9VjcxF/fsI8ZsvDJ4OoQEGkD/VAgxijz6H2qh7BfBiRj5f5/w/Hp8IkLl
pop6D7mONmQerPay9Exo3RZsS5m6BFbMGePLa4b978hY1fxcCaNgBQZTpMSp66JR
tAocK5iXXzVUi3BvdLCFNvoVYoyL79D/GSfosXfN5Sol4paq8cotPrtHwMkBTXmV
I8yB602+qq/+Bq2rZWdo+1tlzt8FriplP9DQSpNt1Y03DFiSIlXu3hBGDaTC7yk0
H9jJSKZO/FajRfgkusQNIPRooqyl9WmOBNxHOKH6Pt/CSbzwjHrmfbjrdRBqOi6j
8IzSLZalNPGMqHpvoDQ8K2XwhOKTcXBLSAo+aGDI9Xml
-----END ENCRYPTED PRIVATE KEY-----

Generate an unencrypted EC private key.

$ openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 -out ec_pkey_unenc_genpkey.pem
$ cat ec_pkey_unenc_genpkey.pem
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg775+kyqsBI+DAY+s
0yEdgGDcEVhp/iVOMynQQQqD99mhRANCAAQcyW+6R3oXG4QbWU8NwADpW9irvnj6
FnELlDvtTem+ufUhiBWGhwCBwVfyBpqJsYuDWLLtHTRY4EVolbQ3K/YB
-----END PRIVATE KEY-----

Generate encrypted EC private key.

$ openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 -aes-256-cbc -pass pass:keypass -out ec_pkey_enc_genpkey.pem
$ cat ec_pkey_enc_genpkey.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHsMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAi2zHpFW24wnAICCAAw
DAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEEajoQzUQgXpJQkpFpBaAO4EgZB5
XSR1KpbsPQ/d9JgPP20bNYKKvWRwAmQRu68GYif1hdv1d0TFdQo3wYkKnebNJvEB
3De33doXjsXP9yzZwfD9cwuPfIQ2JxIt/LqHUVTL7RhtQLb8MKcU8hKQZdGIzooS
lJpqqJ8TGzMMR8Kt2Wi1ACBHOoZWmJvrnNXPUSSwPiCoFiYBKUn+WGv/1ssYRP4=
-----END ENCRYPTED PRIVATE KEY-----

pkey

The pkey command can be used as a public or private key processing tool.

Encrypt existing RSA private key.

$ openssl pkey -aes256 -in rsa_pkey_unenc_genpkey.pem -passout pass:keyout -out rsa_pkey_enc_pkey.pem
$ cat rsa_pkey_enc_pkey.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIq+wjfjCVZRECAggA
MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBDQzQWV4ng2lNy45ZMzwBNoBIIE
wCSyGgOGp7fnzw0fgdY9b1+W7G+tcc+lftypKcvjNitt2KlJmwAz0++uWd+2q1I8
NbWYrndYTjxBTdsjIwb1TdLz3MP1L48Vw0ch08rup2IVdZ7QvMl+1GZLzB0HlJkY
dAMDwgNfebbrJEg5QNQfW0tNWrL+3qfC9qCzFcczOBLUqN7hqYcUxmO8CSnsSP0N
q5O0Lxsls92CguCf23NprxjOfRCbxUfclyxddokXIWChy6O/skmMfpT6gUobWF2K
pszZsNP1PRXHziZve50vVcWcd/Nhzl8N/NNQHE5PD4rjwYpYifxZ9LcrSi3s86rh
WS8gT40J2Y7B3oDNhhZkvqW91R21seJzKnd6yT1EM2akGgX8M2SVvGTbsGZmHIHW
os7C8o5YLjBBpjXd1mWU2dvq+evPOod8Q1mJF+mJvALyDtaIls0lpT3rfta7W1OH
rSrYFVmhJcma09R5VAKskf8OgBTHj6GgjJstP1anrwSRXeG5dig0bfU/rgcaz769
RPftxJEpiSA5dSCW03056oFeayt3P/aDw1C0acLj06gxc+kdOEiKyZb1VnV4VFcJ
V8ESdx2EBWABdc+n4eOTm7G2ZjCzt1wx8+0dO8xnG6PvFjRkdFvKjX4MY9MVPs9s
88QCfuJsdbXYcJ/MeZudN8xEooHL6QJmvB9FxGuZdg36D0bA8Cx11UzZccb1InYi
3/ieK1R0iM15GIMslVhZ+ymUNiabECKG1u5S459rzJbC7F4bkGndYVD6f/eHuUU7
gvtqDyWFIKj1wgSoYAyXwIPGNSN/D8b0QGWWeCSC4g2qkf7eChblJTS4DphC95fG
KtmhbdmCh1yQVEHCnBykD/nT6O1ldzWqfVavf7f7TKzF4IbnCE1k9f5tdwAa57sS
6cBNzb1mCyLwQe28H8J6X9d4U713WjI0HVCuZsFrN1EOZF/Mid/OP9t9BEAp8mO/
jCqGjpyqAGwSb0T0iRoWVuLQnSSE5n/FcmekrXk9mknX7LoskjOBv9FiFkQklEjx
SSZxqbalkCE0Bcv9/3rgNuiyMhyamZF3Cr1BkgsmcXRaMJhJHVJ6fioFcEmjl37c
PJo05hNO+9RtDibr3dEr/q1ZPl5NcPT2Do02SPqOsJIamGNu5Tz9oR9MguW6PKNP
AUILvlQgSeV2etobolEKxg/KB6N5r+7KVvoOjt0y50c7mS2kXsaYCJbZsj2Gr/Q+
zpMPg1JL+H66yPuVO8g7ymysWyc4xIPOdMUj0ZlpJquuWVnj4xHi2qMegZ0f2w50
fpPhGBH4WF8dn2qF/S8Jupq2mjEERPYkttYUDqUPiKH9gIZvGg73LlYiiNgHKnXY
+ENJFnbYy7Va5nIpYoNJdf76k7HaHljctMxrZC13NLdK978pfli07f/H/C6zssDj
Lf/SA5BudGBlmplm8Y15dAZxijEjdXB1Jm+F3prNhtJi7gW9UTEUdYb+fIy9sMnO
PF26Nm/gPkUQ5SiHj551XO45ET95LnMtQDDBi6aVm5aJtVrsejoHmFCTTbZcmErg
NVhtL5/cBYujk6Eng6KwvAa0wniqZTPYF0JuGNIBCuthtpWzJcemIKRVJ59C9Ogf
RklUDzeK98kgjp/6YHPnuss=
-----END ENCRYPTED PRIVATE KEY-----

Encrypt existing EC private key using the traditional format.

$ openssl pkey -aes256 -in ec_pkey_unenc_genpkey.pem -passout pass:keypass -out ec_pkey_enc_pkey.pem -traditional
$ cat ec_pkey_enc_pkey.pem 
-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,3DA504A6D1C57D3EB80F4F0352F588A6

ybBslNKeNU98PGOuQaX+b+hdf0U27JqjLVDMGgHpqtr5g3huB6P0x6Guy31ranGF
Hg3V+TY7LYJqKHZ1EpfhVZk5cOKjivhDaGGI5guPS+DvkC3kmfogL/oAju5bSQTC
uVyoxGIV1lOen1SIO/g5zU5tYt4JirutrfIf4terHn8=
-----END EC PRIVATE KEY-----

pkcs8

The pkcs8 command can be used as a PKCS#8 format private key conversion utility.

Convert a private key to unencrypted PKCS#8 format.

$ openssl pkcs8 -topk8 -in ec_pkey_enc_genpkey.pem -passin pass:keypass -out ec_pkey_unenc_pkcs8.pem -nocrypt
$ cat ec_pkey_unenc_pkcs8.pem   
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg8PpYWn4Swm0wypEJ
nbdDncHddUZEzNpBaZwWxCJD6EqhRANCAAR95CxpOsM4nvXzYx4gXb8K6xZ6EUkQ
aDPo4g6jkDg0NxApMA2r7GSZiOrm/9ZwUIOA40IVeV5BUD6jsu2q+i+V
-----END PRIVATE KEY-----

Convert a private key to encrypted PKCS#8 format.

$ openssl pkcs8 -topk8 -in ec_pkey_unenc_genpkey.pem -passout pass:keypass -out ec_pkey_enc_pkcs8.pem
$ cat ec_pkey_enc_pkcs8.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHsMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAgubDREXD/RogICCAAw
DAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEDWIL671+DX/VVB1hF/2mmoEgZCA
wRUPyP8a05RTsl9BFJf9kVDY10VJGWOGhxcHlSBALqUH7OWrUCFsD+ogjHAPXcWL
P3/rSj+YeVuStMuiGJp3K/DH9V1pYHHyVFktQDvT07iNjk+DjxvwDnvCQrOLdeiN
G5rpCElTJGqVJ3GbCVqW++7MhR7ygdEnUF0vY3plcLz4usuzxKL47kglG9o/tZE=
-----END ENCRYPTED PRIVATE KEY-----