How to encrypt an SSH private key

If you are using SSH key-based authentication you should be encrypting your private key. This ensures that if someone breaks into your server and steals your keys, they won’t be able to utilize them to access other systems. If your private key isn’t encrypted you can use the ssh-keygen utilities “-p” option to do so:

$ ssh-keygen -p -f id_dsa
Enter old passphrase:
Key has comment ‘id_dsa’
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.

This option can be used to change the password used to encrypt a private key, and to add a password to an existing private key. Viva la OpenSSH!

2 Comments

@magnus919  on January 20th, 2012

“This ensures that if someone breaks into your server and steals your keys […]”

Let me stop you right there. Why is your private key on a server in the first place?

And, let’s just assume that they are on the server, why don’t you have a passphrase so that simple possession of the private key + 25 cents still won’t get you a call on a payphone?

Integrating ssh-agent into your login process  on January 28th, 2012

[…] generator (ssh-keygen) will attempt to encrypt your private key by default, and can also be used ssh-keygen to add a password to a private key after the […]

Leave a Comment