How do I encrypt my SSH keys?

To make a new SSH key pair (private + public keys), use ssh-keygen. If you enter a passphrase, the private key file will be encrypted with that password.

$ $ ssh-keygen -t rsa -f ~/.ssh/newkey
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/jsmith/.ssh/newkey.
Your public key has been saved in /Users/jsmith/.ssh/newkey.pub.
The key fingerprint is:
8f:80:65:10:9a:21:0f:36:d2:96:91:1b:27:26:ba:90 jsmith@mac
The key's randomart image is:
+--[ RSA 2048]----+
|++o+o. |
|++X+.. |
|.=+= o |
|E . + |
|.. . . S |
|. . o |
| . . |
| |
| |
+-----------------+
$

Two files are created:

$
$ ls -l ~/.ssh/newkey*
-rw------- 1 jsmith users 1766 Jun 3 12:01 /Users/jsmith/.ssh/newkey
-rw-r--r-- 1 jsmith users 405 Jun 3 12:01 /Users/jsmith/.ssh/newkey.pub
$

The .pub file is your “public key”. It’s contents are not really strictly-speaking secret. You’ll need to copy this key onto remote servers’ ~/.ssh/authorized_key file in order to login without a password.

The other file is your “private key”. Don’t let anybody see it! Even though you encrypted it, if somebody got a copy of it, they could try as many passwords against it as they wanted without you knowing that they were hacking at it.

How do I know if my SSH key is encrypted?

If you didn’t specify a passphrase when you created your SSH key pair, your private key file is UNENCRYPTED. To check if it’s encrypted, use “openssl”:

$
$ openssl rsa -in ~/.ssh/newkey -text -noout|head
Enter pass phrase for /Users/jsmith/.ssh/newkey:
Private-Key: (2048 bit)
modulus:
00:b2:5e:f4:fb:9d:bc:88:5c:27:76:8a:df:c7:ff:
2e:01:4e:8d:75:eb:58:32:6c:d6:79:15:5a:29:9f:
00:8c:9e:07:f2:46:88:6e:cf:cf:d5:44:85:76:0b:
6f:47:fd:42:17:09:d3:fe:4e:2d:52:33:f7:9e:61:
24:de:25:bd:ea:ef:63:ef:1a:4b:5c:d3:dd:a1:74:
97:61:26:ec:a2:a0:da:bb:4c:87:d4:67:e6:80:42:
56:9d:5a:3d:2d:9d:6a:cc:fe:a8:44:89:f7:d7:03:
53:ec:ad:1e:74:45:96:81:66:d0:b9:ee:75:9d:cf:
jsmith@mac:~/.ssh$

If it asks for a passphrase, it’s encrypted. It will show you the bit-strength of the key (2048 bits in the example above, in pretty strong. How strong is “pretty strong”? Well, the sun will probably burn out and explode before all the world’s supercomputers working together will exhaust 2^2048 possible keys.)

How do I encrypt an unencrypted SSH key file?

If you didn’t specify a passphrase when you created your SSH key pair, your private key file is UNENCRYPTED. To make an encrypted version, use “openssl”:

$
$ openssl rsa -des -in ~/.ssh/newkey -outform PEM -out ~/.ssh/newkey.encrypted
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
$

Now delete the unencrypted key:

$
$ rm ~/.ssh/newkey

If you look at the encrypted key file, you’ll see that it identifies itself as encrypted:

$ head newkey
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,78EF72ED94EE9A591AAAD8FDD7F007AE

9JkW9gmgqUxjVbcAACJVqGiVOGTL1eUBYHLeAN7AFfePXoUyLkmHX82Tv9rkUDTR
JWONTx6CDw1sOPLBj9rYyrDk/79hsRExADPdA3n8ZDouorMG3CSxefLacEB4TSGz
YrpjlNy2E0dbeWBKjfFg/RtXR/lHxAwPdjfx2g/zs4B4CqNUdZei/MiduX2cBsUz
WMYBcY409q3rW/1Wn1ewMTINWSyTdvCTXaf5/aWo1UyWgwHeqjyUKTDzvqICPZlf
DuZOjZyEGF90gg04/JBk2CqpTbqXs05dXHhj0W5bx3jpXGvm6QTAgExCrPTOfIQm
xuWhSQyRgzSUBy+9Cap3QCZkI4DoZ/+0iVJTH9dFSR4dHhrkaGiAHvK9E7d/AwEi
$

NOTE: Remember that since you’ve saved the encrypted key into a new filename, you’ll have to tell SSH where to find it:

$
$ ssh -i ~/.ssh/newkey.encrypted jsmith@example.com

(If you’re on a Mac, the Apple Keychain system will kick in and pop-up a window to ask for and remember the password that you encrypted your private key file with.)

If you set this in your ~/.ssh/config, you won’t have to use -i every time:

Host *.example.com
 IdentityFile ~/.ssh/newkey.encrypted
 User ubuntu
Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Reddit
  • StumbleUpon

Leave a Reply

Your email address will not be published. Required fields are marked *