How to generate an openSSL key using a passphrase from the command line

Question

First -  what happens if I don t give a passphrase  Is some sort of pseudo random phrase used  I m just looking for something  quot good enough quot  to keep casual hackers at bay  Second - how do I generate a key pair from the command line  supplying the passphrase on the command line   I finally got it working using these commands  using exec   which it is generally reckoned not safe to use  being better to give the PassPhrase in a file  I can accept this risk as I am sure that the PHP will only ever be executed on my PC  which runs windows  amp  doesn t have a PS command   openssl genrsa -aes128 -passout pass foobar -out privkey pem 2048 openssl rsa -in privkey pem -passin pass foobar -pubout -out privkey pub  Many many thanks to  caf  without whom this would not have been possible  Only one regret - that  no matter how much I Google  no one can seem to get openssl pkey new   working with Xampp on Windows  which is the proper way to generate a key pair

User · Answer

genrsa has been replaced by genpkey  amp  when run manually in a terminal it will prompt for a password   openssl genpkey -aes-256-cbc -algorithm RSA -out  etc ssl private key pem -pkeyopt rsa keygen bits 4096   However when run from a script the command will not ask for a password so to avoid the password being viewable as a process use a function in a shell script   get passwd         local passwd      echo -ne  Enter passwd for private key       read -s passwd     openssl genpkey -aes-256-cbc -pass pass  passwd -algorithm RSA -out  PRIV KEY -pkeyopt rsa keygen bits  PRIV KEYSIZE

User · Answer

If you don t use a passphrase  then the private key is not encrypted with any symmetric cipher - it is output completely unprotected   You can generate a keypair  supplying the password on the command-line using an invocation like  in this case  the password is foobar    openssl genrsa -aes128 -passout pass foobar 3072   However  note that this passphrase could be grabbed by any other process running on the machine at the time  since command-line arguments are generally visible to all processes   A better alternative is to write the passphrase into a temporary file that is protected with file permissions  and specify that   openssl genrsa -aes128 -passout file passphrase txt 3072   Or supply the passphrase on standard input   openssl genrsa -aes128 -passout stdin 3072   You can also used a named pipe with the file  option  or a file descriptor     To then obtain the matching public key  you need to use openssl rsa  supplying the same passphrase with the -passin parameter as was used to encrypt the private key   openssl rsa -passin file passphrase txt -pubout    This expects the encrypted private key on standard input - you can instead read it from a file using -in  lt file gt       Example of creating a 3072-bit private and public key pair in files  with the private key pair encrypted with password foobar   openssl genrsa -aes128 -passout pass foobar -out privkey pem 3072 openssl rsa -in privkey pem -passin pass foobar -pubout -out privkey pub

[openssl] How to generate an openSSL key using a passphrase from the command line?

Examples related to openssl