How to encrypt an SSH private key

If you are using SSH key-based authentication you should be encrypting your private key. This ensures that if someone breaks into your server and steals your keys, they won’t be able to utilize them to access other systems. If your private key isn’t encrypted you can use the ssh-keygen utilities “-p” option to do so:

$ ssh-keygen -p -f id_dsa
Enter old passphrase:
Key has comment ‘id_dsa’
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.

This option can be used to change the password used to encrypt a private key, and to add a password to an existing private key. Viva la OpenSSH!

2 thoughts on “How to encrypt an SSH private key”

  1. “This ensures that if someone breaks into your server and steals your keys […]”

    Let me stop you right there. Why is your private key on a server in the first place?

    And, let’s just assume that they are on the server, why don’t you have a passphrase so that simple possession of the private key + 25 cents still won’t get you a call on a payphone?

Leave a Reply

Your email address will not be published. Required fields are marked *