发表新帖
发表新帖

How to generate an openSSL key using a passphrase from the command line?

后端 未结
关注
2 1690
终归单人心
终归单人心 2020-11-29 15:30

First - what happens if I don\'t give a passphrase? Is some sort of pseudo random phrase used? I\'m just looking for something \"good enough\" to keep casual hackers at bay

相关标签:
2条回答
  • 盖世英雄少女心
    2020-11-29 16:11

    genrsa has been replaced by genpkey & when run manually in a terminal it will prompt for a password:

    openssl genpkey -aes-256-cbc -algorithm RSA -out /etc/ssl/private/key.pem -pkeyopt rsa_keygen_bits:4096

    However when run from a script the command will not ask for a password so to avoid the password being viewable as a process use a function in a shell script:

    get_passwd() {
    local passwd=
    echo -ne "Enter passwd for private key: ? "; read -s passwd
    openssl genpkey -aes-256-cbc -pass pass:$passwd -algorithm RSA -out $PRIV_KEY -pkeyopt rsa_keygen_bits:$PRIV_KEYSIZE
}
    0 讨论(0)
  • 庸人自扰
    2020-11-29 16:18

    If you don't use a passphrase, then the private key is not encrypted with any symmetric cipher - it is output completely unprotected.

    You can generate a keypair, supplying the password on the command-line using an invocation like (in this case, the password is foobar):

    openssl genrsa -aes128 -passout pass:foobar 3072

    However, note that this passphrase could be grabbed by any other process running on the machine at the time, since command-line arguments are generally visible to all processes.

    A better alternative is to write the passphrase into a temporary file that is protected with file permissions, and specify that:

    openssl genrsa -aes128 -passout file:passphrase.txt 3072

    Or supply the passphrase on standard input:

    openssl genrsa -aes128 -passout stdin 3072

    You can also used a named pipe with the file: option, or a file descriptor.

    To then obtain the matching public key, you need to use openssl rsa, supplying the same passphrase with the -passin parameter as was used to encrypt the private key:

    openssl rsa -passin file:passphrase.txt -pubout

    (This expects the encrypted private key on standard input - you can instead read it from a file using -in <file>).

    Example of creating a 3072-bit private and public key pair in files, with the private key pair encrypted with password foobar:

    openssl genrsa -aes128 -passout pass:foobar -out privkey.pem 3072
openssl rsa -in privkey.pem -passin pass:foobar -pubout -out privkey.pub
    0 讨论(0)
 看不清?
提交回复
热议问题