How do I add a password to an OpenSSH private key that was generated without a password?

Asked 29/9, 2010 at 5:11 Answered 15/11, 2021 at 10:4

296

I generated an OpenSSH private key using PuTTYgen (and exported it in OpenSSH format).

How can I put a password on this existing key (I know how to generate a new key with a password)?

Nitrification answered 29/9, 2010 at 5:11 Comment(3)

If you see this comment, please mark one of the answers as accepted or write a comment saying what they missed. Thanks! – Apology 18/11, 2011 at 22:26

Add is the same as change or remove: #112896 , possible same for change: serverfault.com/questions/50775/… – Krystinakrystle 2/4, 2015 at 8:4

If you get Bad passphrase on an id_ed25519 key but the password is correct, then you are probably using a down-level ssh-keygen to manage it. – Nobukonoby 27/8, 2015 at 22:7

491

Try the following command:

ssh-keygen -p -f keyfile

From the ssh-keygen man page

 -p      Requests changing the passphrase of a private key file instead of
         creating a new private key.  The program will prompt for the file
         containing the private key, for the old passphrase, and twice for
         the new passphrase.

 -f filename
         Specifies the filename of the key file.

Example:

ssh-keygen -p -f ~/.ssh/id_rsa

Offing answered 29/9, 2010 at 5:19 Comment(5)

For those wanting to know what -f is: It specifies the input file. – Armorial 11/12, 2015 at 10:49

// , @sigjuice, would you please post an example, like $ ssh-keygen -p -f /Users/sigjuice/.ssh/id_rsa? This might help people who don't know how to tell the difference between a public and a private key, and help them get their feet wet faster. – Expurgate 6/7, 2016 at 18:48

For some reason, on MacOS 10.14, this does not format the file with the Proc-Type: 4,ENCRYPTED header, which is incompatible with some applications checking for a passphrase. After trying several ways to get it to work, the easiest way to workaround it was just do this same thing inside a Docker container running Ubuntu and then copying the key back to my Mac. – Tierza 18/1, 2019 at 3:44

I can still read my ssh private keys in clear text without entering any password, so I guess the above command is not enough!? (I don't want hackers to be able to read my private keys without knowing an extra password) – Dimer 31/5, 2021 at 13:40

@Dimer : if you did it correctly: the file should now have, under the "-----BEGIN RSA PRIVATE KEY-----" line, 2 lines indicating: the passphrase type, and the (encrypted) passphrase, then a blank line, and then the (ENCRYPTED) private key. The latest is unusable unless someone successfully decrypted it by knowing the passphrase. ie, 1) you need to enter the passphrase when asked, and only then can 2) the private key be used. (with NO passphrase (ex: you entered twice Return when prompted), there is only the UNENCRYPTED private key (without the first 3 lines), and it IS usable directly) – Chloe 17/3, 2022 at 10:16

Use the -p option to ssh-keygen. This allows you to change the password rather than generate a new key.

Change the password as sigjuice shows:

ssh-keygen -p -f ~/.ssh/id_rsa

The required password will be the new password. (This assumes you have added the public key ~/.ssh/id_rsa.pub to your authorized_keys files.) Test with ssh:

ssh -i ~/.ssh/id_rsa localhost

You can have multiple keys with different names for different uses.

Cart answered 29/9, 2010 at 5:20 Comment(5)

// , Would you please show an example, and how to check that the option has worked, @BillThor? – Expurgate 6/7, 2016 at 18:49

I do not understand. The passphrase is set, I see when I try to change it again. But when I try to login to remote server it doesn't ask for this passphrase password, why? – Blown 7/5, 2018 at 16:51

It's fine. It asks once per session :) Didn't know that. – Blown 7/5, 2018 at 17:2

Does this mean you have to log out and in again? Closing the terminal window and re-opening it does not work for me. – Evelineevelinn 6/6, 2018 at 21:50

You can type ssh-add -D to remove your cached identity. Then, try connecting again and it will ask you for your password. Use ssh-add -l to see a list of your cached identities. – Fogarty 26/3, 2019 at 20:12

You can also use openssl:

openssl rsa -aes256 -in ~/.ssh/your_key -out ~/.ssh/your_key.enc
mv ~/.ssh/your_key.enc ~/.ssh/your_key
chmod 600 ~/.ssh/your_key

see: https://security.stackexchange.com/a/59164/194668

Coad answered 16/12, 2018 at 8:35 Comment(3)

I think I'll take the ssh-keygen way ;) – Bonne 6/1, 2020 at 22:3

Thanks for providing an openssl alternative to do the task. – Bryan 13/5, 2020 at 10:33

I'd prefer openssl. ssh-keygen did some weird stuff with the encoding which made the key unusable – Pelvis 24/5, 2023 at 8:24

-1

Because you've mentioned "PuTTYgen" and maybe you're using Windows 😉, I'll direct you to the documentation for "PuTTYgen".

Go here [https://the.earth.li/~sgtatham/putty/0.76/htmldoc/Chapter8.html#puttygen-conversions] for "importing" and "exporting" a SSH private key. These are different to using "Load" and "Save" as those options are for loading and saving a Putty specific key file.

And here [https://the.earth.li/~sgtatham/putty/0.76/htmldoc/Chapter8.html#puttygen-passphrase] for changing the passphrase. Same thing you'd do when creating a passphrase for a new private key.

So steps are "import" the SSH key, you don't get asked for a passphrase because you didn't create one. Then change (set) the passphrase and confirm. Then "export" back out to the original private key file.

Hope that helps anyone else wanting to use "PuTTYgen" instead of "ssh-keygen".

Hakan answered 15/11, 2021 at 10:4 Comment(0)

Recommended topics

Hot tags