Can I add a password to an existing private key?
Say I have previously created a private/public key combination, and decided at the time to not protect the private key with a password. If I later decide to "beef up" security and use a password-protected private key instead, would I need to generate a new private/public key pair, or can I simply add a password to my existing private key?
Is the opposite possible as well, can I "remove" a password from an existing private key?
A word of caution: as stated in laverya's answer openssl encrypts the key in a way that (depending on your threat model) is probably not good enough any more.
Of course you can add/remove a passphrase at a later time.
add one (assuming it was an
rsakey, else use
openssl rsa -aes256 -in your.key -out your.encrypted.key mv your.encrypted.key your.key chmod 600 your.key
opensslto encrypt the key with AES256.
As ArianFaurtosh has correctly pointed out: For the encryption algorithm you can use
des(which you definitely should avoid),
openssl rsa -in your.key -out your.open.key
you will be asked for your passphrase one last time
by omitting the
opensslto not encrypt the output.
mv your.open.key your.key chmod 600 your.key
That's only for OpenSSL and things compatible with it, which is quite a few but far from all. And as correctly noted by laverya, OpenSSL's 'legacy' privatekey (PEM) encryption uses a _very_ weak PBKDF -- one iteration of MD5. You can do better (though not best) with `pkcs8 -topk8 [-v2 $cipher]` and in 1.1.0+ add `-niter $n` with the highest count you can afford (the default, and before 1.1.0 the only value, is 2048).
@dave_thompson_085 this should be an answer. The `openssl pkcs8 -topk8` command in modern versions of openssl can do scrypt or bcrypt with some large number of iterations. Even in older versions, it can do pbkdf2 with 2048 iterations. Depending on your openssl version, you may be stuck with Triple-DES as the cipher.
While Guntbert's answer was good at the time, it's getting a little outdated.
openssl rsa -aes256creates an encrypted file using the md5 hash of your password as the encryption key, which is weaker than you would expect - and depending on your perspective that may in fact be worse than plaintext. (If you use the same password for your ssh key and your login, cracking the md5 hash will be significantly faster than attacking however your system stores the password - barring things like Windows XP)
A modern solution would be to use
ssh-keygen -p -o -f PRIVATEKEY, which will allow you to enter a passphrase and then will overwrite the existing private key with the encrypted version. This uses the bcrypt pbkdf, which is FAR slower than md5 even when running at the default 16 rounds. 'Far slower' in this case means between a tenth and a half of a second, instead of a millionth of a second - not something you'll notice when logging in, but a massive difference when cracking passwords.
It's worth noting that what openssh implemented has several differences to standard bcrypt. The most visible change is that "rounds" is actually the number of times the password is hashed with sha512, then hashed again with bcrypt using 64 rounds to derive the key then 64 rounds of encrypting a known block. Standard bcrypt uses `2^cost` rounds to derive the key then 64 rounds of encrypting a known block. For the equivalent of a normal bcrypt cost like 14, it should be roughly `2^14/128 = 128`, though it's not quite the same as openssh spends more time encrypting.
When a private is "protected by a password", it merely means that the key bytes, as stored somewhere, are encrypted with a password-derived symmetric key. A private key is readily encodable as a sequence of bytes, and can be copied, encrypted and decrypted just like any file. The important point here is that the password is all about storage: when the private key is to be used (e.g. to sign something), then it is first decrypted in the RAM of some computer, which then proceeds to use the non-encrypted private key. Correspondingly, there is nothing special in a RSA key pair which would make it suitable or unsuitable for password protection. Password protection is really an orthogonal issue.
Of course, if a private key has ever been stored on some physical medium (say, a hard disk) without any extra protection, then it may have left exploitable traces there. Details depend a lot on what system is actually used for private key storage. For instance, Windows systems use DPAPI for storing user's private keys, and DPAPI makes some extra efforts at not letting stored keys leak (whether these efforts are successful remains to be proven).
@guntbert, in this context 'orthogonal' could be defined as "related but separate". Ie. the issues of certificate validity and certificate security are related (in that they both affect the security and functioning of the system) but they're distinct problems and their solutions don't directly interact.