Categories
SysOps

How to determine cipher used to encrypt the private key

Use openssl utility to determine cipher used to encrypt the private key.

Inspect the private key as the traditional PKCS#8 form provides this information out of the box.

$ cat rsa_pkey_enc_pkey.pem  
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,06A16DB50701C4E4FF6D710544F1F81C

ohhKfxJwGx47uCqAqSQbQ2p9mNDfM/6p4shBYDWR1xBwh5KBPVWxVZR7ZG6J5BaM
Pc2/Aaec2GIrcfi7j1Wo5xgBoSlJSE4bhCG1mYLpIWAtx8ZevRhAn6xr9TIHhNWt
NDPWMmnJMLzIJd1apwulLuEcaDxVeqSXRimHubxEjHpwnUzGv7Qq6Dj8A6fVHxRS
AgVFa1ebZhH5EqBtKm3tRzZKuQClzENNbFcyufm+7hCGhGjXK2IBeXUipPc3LIdo
n+LkNm+XNywadbCA4qAkFlhFQSpsW6wrnYMdhVz119rA54Ls/LNh+2A4w0tl4egY
NRwhvC20kSQKvY0UVtG79Udbu1YLFEpTxS023+eqYkpcViLPcrOb9dCwgBITjRhB
DJSCZY+B8vYWk57Llg/SyVBF4JoP3hVgVSFcp+YdVtB6cctIdlsVt925UZHv1Sac
6vu0PbuiZN+gRSHh81gea8k0x0VGF/MTitLTnhiX8rKDEGU516qzveUwRWMVaBaO
8LmbwyHNv0LWCFUhaeEnTOg+BH0gUZvm3QElWmxrkkiG3gdbgOfSwOVcGOT8kQNd
WQHwTvAQH4di9RXXkuX86yVSh5dWIPys9VdNjNE6t4Mhj7iN847/RkYnZcDmmaTt
cCHl8OM99sji0M4v9UnwqkwbSDdUrEiAZjUNqIFK1Y3pTc8ldgdlg4e27u19+Uzl
KUahpp9d/jHo6iyZ6X971gp1rE9rsCp50j84dKrzKvfhOHILHV8YDu0KQ9ppZmyT
TfJqNiUh158qMYx80XCPKpKmN1aFWmUacpW3vHvK27QemSoEN7bgJhF1mLgqFw0u
zkXzjEleonG1vCM360QueMIB1dBkpupPy65YytZHnp8BkY+WVfAKDWIJxNiunlzp
VBJEOgbz5JoGVs/gIW13VVmx3iQDaBzMVoCarRKLVgIrc41437L+3zT4ekvfgaQ1
alxIUeHS90zHVRJR9GlKHd05J6r/bRSLJPxRgYl++2DT+0PI3INOMe+l/WDvLsIu
cvB26CTnHJqQQVehzcldrpO3jkBKhXwAjuEMsa/wGP2hsrQePp7Np+01mt1GtCBI
OCBPoLGhtiAiHUjw8goVT8pQXbudUaK/s3n/cBOFPi2AR1/0Ch2jwVjkcWptjGxo
hPZJq2X66xnHESZTMpBQgpvr44nXVKxTj+MrFvldUnLXTK4jHyIYHzx5umouqIc0
RO7zhZ24G7OresyzZispK4ZUS/j6GOo8B+ccoQ6Ioqdw4jRH44xvUhDP+asdmXOW
O6rOJpwo5nMPAQlefp2UbiQuGNmNPIcOKaOkVN3SgM6aZdvx9GochBWmLGGzOJ2x
Q9KsPHq3hmjSayHLQ7RtYyNXRuOAB1lraQ3F7eh+oyAU8MiWQaNtR6KS9ENhWY+5
20zA0WF6A21cOFG9U4IKJCksgKf+0DRa+cAQvZmsUwM7ssvObq83LaThsQwwiLT9
5xF5LAszQsgZZszn7SiqqiIOLp/hr8soOBEPx5hd8cR+vZmOwrvwrbnSieFpMVkm
CaoxHmEWZHZL4AM/EYBcV5Pd/iPpoAb6Gd2SfNT/uoJoyKslmZoAK+HJ1nfwAtRu
-----END RSA PRIVATE KEY-----

Encrypted key in PKCS#8 form does not provide this information.

$ cat rsa_pkey_enc_genpkey.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIPEEe4tn1gy0CAggA
MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBDPCcpNhzQnLDgRMSTLqXfBBIIE
0JHtmfGK1kmr0oOVY6DJeuENraUGSvTT2SYpWY4POjKhxf2HSETlsehjtbP1cjBR
UYR3idyv9GzJnzsOOPmhRd5G1x29VoYK8ItpN5Jq+cHsFmeaSO1bowCPkk+VPZMw
r/SjNj0foGxcPKw6EWnf+v/QlTUWt6abRD4AMUxWp/FTLoiB86gs4ZuTZTO4cl23
ojGfTRYuzU7ya173j/VLnOMUDIaDrlmXcA8TWjp0FZKeMLtXM1xAb6iSCv+VdmtE
qH5hpdnM9xd9ty2uB6b4iARu6UT8qLh9O+RcjWkPShDlMCnnTqVKHWSaVYiVBZ0M
xt29BSWM6qxwMcyJYGqf4zOoREfJKWbl63E099nsC2HYj63n8eSeGQOZdtPbpLYZ
BvGaerJdrcLPhJsjRLglLif9tMcty0nIg14lNmHUOwObNGUqm3O+5EE7C7j4JGup
4Xt/Ex30aUa/hyLabyXSET4YHYyRMP1r2rXofXJBQW8KjFp/Fr7QxH2RF3eZXCxr
h+5s7U2vtIY6icAwSl58GYbV1pDjla6v4dbtufdWz2S18+2RkjCNQd6yBj/VAYNR
/HLpmKy9Gmd8wNQ4PIOvh+6ltvjKB+hRu+9ZtisqFK6QzLtapc8NdS3UNh49hYvG
Vuek6Ih9uC4gJlydk0LDS7k1rY8MkjggOAN55KINJECk5wuB1vHCeVLDDo93f7HU
H986NIqul/DbxBkePbsnGJvzEPbpSgDr+iMTiFRgmTMLbcgSIZCljSnVHK5y/8gi
WlntUgogSzdOVTfPIegR28A5c4Q8sGw5e/f5bgJsx2K8xFyZuNSRaT0tfRdVZfMi
JQiaGFo5KbAmh28q1xcuGFsud9/wH3nG9S3klWb7TrEXxWTGAcZh3ygl5fK8Rak1
BwoCqUblH7nehs5x4eHqJpqRTz5yyJAe5B5jn3d0muOAXlELS22nB20W7RjVX5Qk
EvOY3U4nujuyGPSpoQG7AqHHAa7r7QHY/7xLn2P5UlEZxJ43OWeZQ0QAhmp629r4
qRTir64CpvIHkv9Ft1zj8pP1XVw2KtgkJPZhRqAHP6EzsBlWQX6xdv5ei2IoZ9gi
2bUOUg7FrvzEN2WxvgdF6TDaWdl3Bzb1he5bKh3dtWiQ1o5BAjD5uzzfB53DwS3z
OFnN0GtoinGlEcNWZEU4dm0/Uqh7vz9I7mkQbAHkynleEDum7ZKZaigdbDkEaTSo
2+la9NAcrrkDuyPguQw6KWMkiKzRTDtXT5Y9JuQ0JLXBlIQ7nzCEVUAdA/U10I4T
j1elPNC9VjcxF/fsI8ZsvDJ4OoQEGkD/VAgxijz6H2qh7BfBiRj5f5/w/Hp8IkLl
pop6D7mONmQerPay9Exo3RZsS5m6BFbMGePLa4b978hY1fxcCaNgBQZTpMSp66JR
tAocK5iXXzVUi3BvdLCFNvoVYoyL79D/GSfosXfN5Sol4paq8cotPrtHwMkBTXmV
I8yB602+qq/+Bq2rZWdo+1tlzt8FriplP9DQSpNt1Y03DFiSIlXu3hBGDaTC7yk0
H9jJSKZO/FajRfgkusQNIPRooqyl9WmOBNxHOKH6Pt/CSbzwjHrmfbjrdRBqOi6j
8IzSLZalNPGMqHpvoDQ8K2XwhOKTcXBLSAo+aGDI9Xml
-----END ENCRYPTED PRIVATE KEY-----

Use ASN.1 parsing utility to extract this information.

$ openssl asn1parse -in rsa_pkey_enc_genpkey.pem 
    0:d=0  hl=4 l=1325 cons: SEQUENCE          
    4:d=1  hl=2 l=  87 cons: SEQUENCE          
    6:d=2  hl=2 l=   9 prim: OBJECT            :PBES2
   17:d=2  hl=2 l=  74 cons: SEQUENCE          
   19:d=3  hl=2 l=  41 cons: SEQUENCE          
   21:d=4  hl=2 l=   9 prim: OBJECT            :PBKDF2
   32:d=4  hl=2 l=  28 cons: SEQUENCE          
   34:d=5  hl=2 l=   8 prim: OCTET STRING      [HEX DUMP]:3C411EE2D9F5832D
   44:d=5  hl=2 l=   2 prim: INTEGER           :0800
   48:d=5  hl=2 l=  12 cons: SEQUENCE          
   50:d=6  hl=2 l=   8 prim: OBJECT            :hmacWithSHA256
   60:d=6  hl=2 l=   0 prim: NULL              
   62:d=3  hl=2 l=  29 cons: SEQUENCE          
   64:d=4  hl=2 l=   9 prim: OBJECT            :aes-256-cbc
   75:d=4  hl=2 l=  16 prim: OCTET STRING      [HEX DUMP]:CF09CA4D8734272C38113124CBA977C1
   93:d=1  hl=4 l=1232 prim: OCTET STRING      [HEX DUMP]:91ED99F18AD649ABD2839563A0C97AE10DADA5064AF4D3D92629598E0F3A32A1C5FD874844E5B1E863B5B3F572305151847789DCAFF46CC99F3B0E38F9A145DE46D71DBD56860AF08B6937926AF9C1EC16679A48ED5BA3008F924F953D9330AFF4A3363D1FA06C5C3CAC3A1169DFFAFFD0953516B7A69B443E00314C56A7F1532E8881F3A82CE19B936533B8725DB7A2319F4D162ECD4EF26B5EF78FF54B9CE3140C8683AE5997700F135A3A7415929E30BB57335C406FA8920AFF95766B44A87E61A5D9CCF7177DB72DAE07A6F888046EE944FCA8B87D3BE45C8D690F4A10E53029E74EA54A1D649A558895059D0CC6DDBD05258CEAAC7031CC89606A9FE333A84447C92966E5EB7134F7D9EC0B61D88FADE7F1E49E19039976D3DBA4B61906F19A7AB25DADC2CF849B2344B8252E27FDB4C72DCB49C8835E253661D43B039B34652A9B73BEE4413B0BB8F8246BA9E17B7F131DF46946BF8722DA6F25D2113E181D8C9130FD6BDAB5E87D7241416F0A8C5A7F16BED0C47D911777995C2C6B87EE6CED4DAFB4863A89C0304A5E7C1986D5D690E395AEAFE1D6EDB9F756CF64B5F3ED9192308D41DEB2063FD5018351FC72E998ACBD1A677CC0D4383C83AF87EEA5B6F8CA07E851BBEF59B62B2A14AE90CCBB5AA5CF0D752DD4361E3D858BC656E7A4E8887DB82E20265C9D9342C34BB935AD8F0C923820380379E4A20D2440A4E70B81D6F1C27952C30E8F777FB1D41FDF3A348AAE97F0DBC4191E3DBB27189BF310F6E94A00EBFA231388546099330B6DC8122190A58D29D51CAE72FFC8225A59ED520A204B374E5537CF21E811DBC03973843CB06C397BF7F96E026CC762BCC45C99B8D491693D2D7D175565F32225089A185A3929B026876F2AD7172E185B2E77DFF01F79C6F52DE49566FB4EB117C564C601C661DF2825E5F2BC45A935070A02A946E51FB9DE86CE71E1E1EA269A914F3E72C8901EE41E639F77749AE3805E510B4B6DA7076D16ED18D55F942412F398DD4E27BA3BB218F4A9A101BB02A1C701AEEBED01D8FFBC4B9F63F9525119C49E37396799434400866A7ADBDAF8A914E2AFAE02A6F20792FF45B75CE3F293F55D5C362AD82424F66146A0073FA133B01956417EB176FE5E8B622867D822D9B50E520EC5AEFCC43765B1BE0745E930DA59D9770736F585EE5B2A1DDDB56890D68E410230F9BB3CDF079DC3C12DF33859CDD06B688A71A511C356644538766D3F52A87BBF3F48EE69106C01E4CA795E103BA6ED92996A281D6C39046934A8DBE95AF4D01CAEB903BB23E0B90C3A29632488ACD14C3B574F963D26E43424B5C194843B9F308455401D03F535D08E138F57A53CD0BD56373117F7EC23C66CBC32783A84041A40FF5408318A3CFA1F6AA1EC17C18918F97F9FF0FC7A7C2242E5A68A7A0FB98E36641EACF6B2F44C68DD166C4B99BA0456CC19E3CB6B86FDEFC858D5FC5C09A360050653A4C4A9EBA251B40A1C2B98975F35548B706F74B08536FA15628C8BEFD0FF1927E8B177CDE52A25E296AAF1CA2D3EBB47C0C9014D799523CC81EB4DBEAAAFFE06ADAB656768FB5B65CEDF05AE2A653FD0D04A936DD58D370C58922255EEDE10460DA4C2EF29341FD8C948A64EFC56A345F824BAC40D20F468A2ACA5F5698E04DC4738A1FA3EDFC249BCF08C7AE67DB8EB75106A3A2EA3F08CD22D96A534F18CA87A6FA0343C2B65F084E29371704B480A3E6860C8F579A5

The unencrypted key for comparison.

$ openssl asn1parse -in rsa_pkey_unenc_genpkey.pem
    0:d=0  hl=4 l=1210 cons: SEQUENCE          
    4:d=1  hl=2 l=   1 prim: INTEGER           :00
    7:d=1  hl=2 l=  13 cons: SEQUENCE          
    9:d=2  hl=2 l=   9 prim: OBJECT            :rsaEncryption
   20:d=2  hl=2 l=   0 prim: NULL              
   22:d=1  hl=4 l=1188 prim: OCTET STRING      [HEX DUMP]:308204A00201000282010100C8064281CB917AA4F215FDD1B7ED8419E8D9C22D2B24FFABC40D2F4DC94E60DAF9149FEAE0419D579F7551CD275FDA196D7F82E577EDDD2FF62E749B42C4AC426154763CF62E841085AD8E578B8F288DC11F6AF01785B33840386F87956165902380AEE4A9C4FE342FE32EF1FF3D82A3865C2C279991C74CAB7074743B8A55F59889C25A07245C077DAEAAD0B1C45B076EE2BC5169C0BA50A8DBFD7C3626472810A31E8CD72DB9211FA15C8856DF9CF76BCC8B706F8E88A8CE607515B9434E44A60D63D4B310ABCB0666F5FE0518550A548B5807DCC1C1880D6A6217B89E2BE360E315CE12FF6ED382FC40A99F81282D0C73B29349334096E5C36ECA6F1D64610203010001028201004CA3495C1DB911BA9D1E9BEF7C7F3E7C06E1582AA23B3CD27CFD68406F7EDE5147DA0523A2E4C0FA4F984DCD42E6D0D3A9468FCA87D6D5468916678B0D5BF97C3D7A750B0A6FEC1DC07A2CED920539CE864E1955004E33CABBA063EB18EB0654E1A56E5D2246DDF6F4DA20A48BDCEF6EE40DF0C5036BFD667CD14B6D355ADD6FDB573083750438FACDC02D61A8C73B64951D886BE02A5B7CCF7FE63BE015765F57D9529E704FAE287B567675719773CF446137F9AEEF5D61B2F720C2321589DA87484D6E8BAD7AEF0CE1759F42693A6BFD5E79EDC826182B8066A0583603ED1D196EFCF14249B8D8D7BA821BC1C0B89EDA178AE7E10C3FA8FFACD8C81E6D8AB902818100FFF69839BE31A996356CBD50AFEBCEAB1B8513B652B313D8C7FB09871E719BDE57898B7B466E908911270C7601E72D45311DACE72FE1131E8783EE2FEA2658DCD2F3EB1F2BAB95CCD95BF006508175BEE70D0736893156780DD7118CCA9896B958DD5EB7F56791A588962CE6C2DB45C5AF9CC200625819B9560A26970D3A0B4B02818100C80D9C14B00B68FC7AB16E3EF5E892C3DCC1208C288BBA179B188F5AA20A48825D705493281509A3CE768AEB3E4455C5D7BE96296CEEEDDA34032B5A2AF4234DAC34EE112190C6AB5505F0E5A8E15EAE42F45CB914E2BB04544BB77C14FC7A22F881223C1C4C72FB33508BF58DB65B1E5BB1984F69112DC9137251B68FA5B7830281803719C2934B9A2D43A4A48FEC7AB26C7EF121A8A8AB0CD9CCE4DFE9A128B094393CE6E31BDA819AA3A7099CE91A67C59B0B83B3E0E0B1B707EF6C3B2E1D5DBBEB6D8E0CA35D2746CC1E4E685133AB6AC979BB983DE932B1C68E5429F700F5F01C5E40E94EF8891F155F5DD4B4A865C39356C68C0CC11EEE0AB3B6E3AFC8AD2219027F5CFDF68FA745A687B680C3BE80909BA86FF5562BD0AD22D3D644945E8CF43AC05EAED8A18F00387AEC7E2E152BDC98025F473886091D077366BA126CD78AA4DE762E247BD21E7A3B2A4A98B028D09A3266ED302CD8888C6676C8BB81F23F6A86D6FD2FECC13AC837FCA2746CB07313E808B7851564C19786E0834378994D6F0281801D9A9822C0B25C2B42C23B5BB4B296F3DBC78C1C4F6E2161C39728865F6BC44BC0CD876ED26579397E5766349EBB86BD2D5DCE8113F694EADB8182CF985905AB4EFFB648C7486243A048DD98861068303F4E6F01E95287C7EE3BAFC9A5BB47AD4AB6E309D399E0D3190C8F174E7615B5C3A00C46F3E7467DEA49C69DA7E06525

You cannot use this utility to parse the traditional form.

$ openssl asn1parse -in rsa_pkey_enc_pkey.pem
Error in encoding
140365724464512:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:../crypto/asn1/asn1_lib.c:101:

Nice.