Use the openssl genrsa command to generate an RSA private key. The generated RSA private key can be customized by specifying the cipher algorithm and key size.
openssl genpkey vs genrsa
The openssl genpkey utility has superseded the genrsa utility. While the genrsa command is still valid and in use today, it is recommended to start using genpkey. For more information, read our post on openssl genpkey.
openssl genrsa 2048 example without passphrase
- openssl genrsa -out key.pem 2048
Where -out key.pem is the file containing the plain text private key, and 2048 is the numbits or keysize in bits. Completion of running this command will result in a 2048 key generated by openssl genrsa.
openssl genrsa 4096 example without passphrase
- openssl genrsa -out key.pem 4096
Where -out key.pem is the file containing the plain text private key, and 4096 is the numbits or keysize in bits. Completion of running this command will result in a 4096 key generated by openssl genrsa.
openssl genrsa password example
- openssl genrsa -out key.pem -aes256
Where -out key.pem is the file containing the AES encrypted private key, and -aes256 is the chosen cipher. With this cipher, AES CBC 256 encryption is the type of encryption.
Note that other ciphers are also supported, including aria, camellia, des, des3, and idea.
Completion of running the above command will result in an aes256 key generated by openssl genrsa.
How to determine and verify the private key is encrypted?
List the private key file which shows the following:
—–BEGIN RSA PRIVATE KEY—–
—–END RSA PRIVATE KEY—–
Proc-Type: 4,ENCRYPTED indicates the key is encrypted.
DEK-Info: AES-256-CBC indicates the AES cipher used for encryption.
If the private key is not encrypted, the previous two lines will not be included in the file. If security is important, note that a private key should almost always be encrypted AND kept in a secure place.
openssl genrsa example with passphrase
openssl genrsa -passout
The -passout flag looks for an argument containing the file or variable holding the password. The following are options for the -passout argument:
- pass:password – password will be the actual password. This should only be used when security is not critical because the password will be available in history and other OS utilities.
- env:var – var will be the name of the environment variable.
- file:pathname – pathname of the file containing the password. The first line of the file should be the password.
- fd:number – This can be used to send the password with a pipe.
- stdin – Read the password from standard input.
Example of openssl genrsa -passout with a 2048 bit key size reading the password from a file or from foobar:
- openssl genrsa -aes128 -passout pass:foobar 2048
- openssl genrsa -aes128 -passout file:passphrase.txt 2048
How to remove a private key password using openssl.
If it is necessary to store the decrypted version of your private key, run this openssl rsa command to decrypt your private key. Removing the encryption from your private key makes it more vulnerable to theft and is not recommend if the security of the key is important. In any instance, if the private key is stolen while encrypted or not, it should immediately be replaced, any associated public key or certificate should be revoked, and a security review of your system should be conducted to ensure the new private key cannot be stolen again.
openssl rsa -in key.pem -out decrypted-key.pem
Where rsa is the RSA algorithm, -in key.pem is the encrypted RSA private key file, and -out decrypted-key.pem is the file that will contain the decrypted private key.
A much more technical description of an RSA private key can be read here, https://tools.ietf.org/html/rfc3447#section-3.2, in RFC 3447.
Further of OpenSSL genrsa
genrsa will been replaced by genpkey. The use of the genpkey program is encouraged over the algorithm specific utilities because additional algorithm options and ENGINE provided algorithms can be used.
genpkey allows us to generate the following key types: RSA RSA-PSS EC X25519 X448 ED25519 ED448