Cryptography Tutorials - Herong's Tutorial Examples - v5.42, by Herong Yang
Encrypting RSA Keys
This section provides a tutorial example on how to store RSA keys encrypted with password protection.
RSA keys are pairs of private key and public key. The private key should not be share with anyone else. So it's strongly recommended to store the RSA keys in an encrypted form with a password to protect them.
Here is how to use OpenSSL to generate a RSA key pair and encrypt it using the DES3 algorithm:
herong> openssl genrsa -des3 -out herong_rsa.key Loading 'screen' into random state - done Generating RSA private key, 2048 bit long modulus ...............................................+++ ................................................................+++ e is 65537 (0x10001) Enter pass phrase for user.key: mykey Verifying - Enter pass phrase for user.key: mykey herong> more herong_rsa.key -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,61523E68F580569D MC5FNOEYflddyBF2orcTtzHSUpzrevcxZpbUU827hdmgDEoZKg54VVd9xGnxnodm hq1LSenM1AxWO5Bzzmxr3WCiz94xPxNSUd/1f9eonaVZT7CaVzn533lj3G26uvtO OyNXyBcb/kUGHXeCeGU322lB1p8gShOC/P9ip/wQvlR2yaSQGc4xKwON7O4dAvtM rfoV0YJNCiK/tbK/5YBykMTYBsIAqJRmKKyAILd38dd0/lDTmLDxn2SEmMmuGjTC yYEXZfW1PJn+gELSD1xysQ58wVtBXvdbQWG0RJYukseLurZABSyz4Lvg8fUboBAJ 42DFO101aaCWR/uuZefNPbPzBWrdh2w+ptqxWTKTOTYoqgrW15VdRE/4YH1N8R8a wbzOS1oDbiRWH2WXcJ+E1dxh4UEoGuNkCV8W3nmVTvE= -----END RSA PRIVATE KEY-----
Perfect. This extra parameter "-des3" triggers the "genrsa" command to generate a key pair and encrypt it immediately with DES-EDE3-CBC algorithm.
The above command is good for encrypting the key pair at the time of generation. How about encrypt a key pair previously generated? This could be done by the "rsa" command:
herong> openssl genrsa -out herong_rsa.key Loading 'screen' into random state - done Generating RSA private key, 512 bit long modulus ....++++++++++++ .++++++++++++ e is 65537 (0x10001) herong> more herong_rsa.key -----BEGIN RSA PRIVATE KEY----- MIIBOwIBAAJBAKnmGcbuiAGG2XKek5LbVwF7AoT8HuNXXip7KyWevbrFlSxJWSjf pmeGJo7/Nsw6hFwor28RyAy1wsW5BNYOXdECAwEAAQJAQsEsI6OZQLBRQ93Wsf8I goZoiQPexwiO8TYPz+o9NeLELOzhYHiKuzOO5c2oVYXTSgM9IMCCo35fkzOlTdyj oQIhANe/bnRWtO+7gSbcqmINtFW12pbkgzQ+SlQxp7HSNL3FAiEAyZjTrFGKlG9k Ub4EcNFkWjIzOM/vHifYdmB/ZO9ZzJ0CIHEnEYMqxpLFQKNlMGdk0KPzUMW666VG 1iz6Lf1xRgARAiEAplhZiR27iKGlmKF/TowpDxfPFjjVaP+d6IfVdrbdVS0CIQCY OHLGbU3QZn2VjSUH/BF4kP7cEPDngxbYiZ2+f2D77Q== -----END RSA PRIVATE KEY----- herong> openssl rsa -in herong_rsa.key -des -out herong_rsa_des.key writing RSA key Enter PEM pass phrase: Verifying - Enter PEM pass phrase: herong> more herong_rsa_des.key -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-CBC,C386818044590B20 10JtM182aDIEMcGLGHXC51woLVdcsYWAAp0tCI1NKJRy/ZBKQLs7gzgGD9ZFBA3D eZ0W7CVT226yDNSAq/3G+st1cR3kfFmxO3cfT8DHKV4zJVLSRrKfklURp0SdfaB6 LLpbdz9OSwxYphVTBTQAaeLYBipZhyV5BJZeQH40b5S3SclHid5Bn3SaxmFIgRCp X07GQkiVU+KLhW4Q2v7uV7qU/dlym7WAsxlw4vEw9EhLw2RTPGEC0IaTzPtgWnsE wQcvS0gDg5C8sP/rpHdQcZFCqpt4+n9M/p1Ciz1d0DNYRefvZnmf9w/z02oT3KY+ nJxrL6kh2kYVUOQKSwlA4Swtt4lPy6gimg+1xG96+BnrG803FYQ23rlusCThg+yw lHpltupnF9YW38dParIlLsxMxFRhRc8qNZSAwnBHP78= -----END RSA PRIVATE KEY-----
Table of Contents
Introduction to AES (Advanced Encryption Standard)
DES Algorithm - Illustrated with Java Programs
DES Algorithm Java Implementation
DES Algorithm - Java Implementation in JDK JCE
DES Encryption Operation Modes
PHP Implementation of DES - mcrypt
Blowfish - 8-Byte Block Cipher
Secret Key Generation and Management
Cipher - Secret Key Encryption and Decryption
RSA Implementation using java.math.BigInteger Class
Introduction of DSA (Digital Signature Algorithm)
Java Default Implementation of DSA
Private key and Public Key Pair Generation
PKCS#8/X.509 Private/Public Encoding Standards
Cipher - Public Key Encryption and Decryption
OpenSSL Introduction and Installation
►OpenSSL Generating and Managing RSA Keys
Viewing Components of RSA Keys
OpenSSL Generating and Signing CSR
OpenSSL Validating Certificate Path
"keytool" and "keystore" from JDK
"OpenSSL" Signing CSR Generated by "keytool"
Migrating Keys from "keystore" to "OpenSSL" Key Files
Certificate X.509 Standard and DER/PEM Formats
Migrating Keys from "OpenSSL" Key Files to "keystore"