Openssl ECDSA : private key passphrase

Asked 1/5, 2016 at 16:18 Answered 4/4 at 20:46

Solved security encryption openssl ecdsa

I am new with Openssl i have generated a private key myprivatekey.pem and a publickey mypublickey.pem with :

openssl ecparam -genkey -name secp160k1 -noout -out myprivatekey.pem

and my public key with :

openssl -ec  -in myprivatekey.pem -pubout -out mypublickey.pem

What i want to do next is to encrypte my ecdsa with a passphrase private key and make a certification request for my public key and thank you for your help.

Tousle answered 1/5, 2016 at 16:18 Comment(1)

Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See What topics can I ask about here in the Help Center. Perhaps Super User or Unix & Linux Stack Exchange would be a better place to ask. Also see Where do I post questions about Dev Ops?. – Teleutospore 1/5, 2016 at 23:25

It would seem that ecparam doesn't have a built-in option for encrypting the generated key. Instead, you can simply do the following:

openssl ec -in myprivatekey.pem -out myprivatekey_encrypted.pem -aes256

Compared to genrsa, an extra step is required, but this basically does the same thing.

Now as far as the certificate request, the command is pretty much the same regardless of the type of private key used:

openssl req -new -sha256 -key myprivatekey.pem -out mycertrequest.pem

You can then take the resulting mycertrequest.pem and send it to a CA for signing.

Edit:

If you have concerns about writing the unencrypted private key to disk, you can do both the generation and encryption of the key in one step like so:

openssl ecparam -genkey -name secp256k1 | openssl ec -aes256 -out privatekey.pem

This generates a P-256 key, then prompts you for a passphrase. The key is then encrypted using AES256 and saved into privatekey.pem.

Shall answered 2/10, 2016 at 8:16 Comment(0)

While ecparam doesn't have an option to encrypt the generated key, genpkey can generate ECC private keys and does have such an option:

openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:secp160k1 -aes-256-cbc -out myprivatekey_encrypted.pem

The -aes-256-cbc option specifies to encrypt it (with aes-256-cbc; other options are available for different types of encryption).

You can pass -passin pass:password or -passin file:mypassword.pass to specify the password on the commandline.

Appurtenance answered 4/1, 2020 at 2:58 Comment(2)

how can you decrypt it? – Hayden 9/11, 2022 at 4:14

openssl ec -in XXX.encrypted.pem -out XXXX.pem – Hayden 9/11, 2022 at 4:45

I believe that the provided responses are not the proper way to securely create an encrypted private key. The more secure way is the following:

First create only the EC parameters using the ecparam command as follows

openssl ecparam -out ecparam.pem -name prime256v1

Then use the generated parameters to create an encrypted key using the genpkey command

openssl genpkey -paramfile ecparam.pem -out private-key.pem -pass pass:"123456"

Kreegar answered 4/4 at 20:46 Comment(0)

Recommended topics

Hot tags