Encrypting RSA Keys

This section provides a tutorial example on how to store RSA keys encrypted with password protection.

RSA keys are pairs of private key and public key. The private key should not be share with anyone else. So it's strongly recommended to store the RSA keys in an encrypted form with a password to protect them.

Here is how to use OpenSSL to generate a RSA key pair and encrypt it using the DES3 algorithm:

herong> openssl genrsa -des3 -out herong_rsa.key
Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
...............................................+++
................................................................+++
e is 65537 (0x10001)
Enter pass phrase for user.key: mykey
Verifying - Enter pass phrase for user.key: mykey

herong> more herong_rsa.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,61523E68F580569D

MC5FNOEYflddyBF2orcTtzHSUpzrevcxZpbUU827hdmgDEoZKg54VVd9xGnxnodm
hq1LSenM1AxWO5Bzzmxr3WCiz94xPxNSUd/1f9eonaVZT7CaVzn533lj3G26uvtO
OyNXyBcb/kUGHXeCeGU322lB1p8gShOC/P9ip/wQvlR2yaSQGc4xKwON7O4dAvtM
rfoV0YJNCiK/tbK/5YBykMTYBsIAqJRmKKyAILd38dd0/lDTmLDxn2SEmMmuGjTC
yYEXZfW1PJn+gELSD1xysQ58wVtBXvdbQWG0RJYukseLurZABSyz4Lvg8fUboBAJ
42DFO101aaCWR/uuZefNPbPzBWrdh2w+ptqxWTKTOTYoqgrW15VdRE/4YH1N8R8a
wbzOS1oDbiRWH2WXcJ+E1dxh4UEoGuNkCV8W3nmVTvE=
-----END RSA PRIVATE KEY-----

Perfect. This extra parameter "-des3" triggers the "genrsa" command to generate a key pair and encrypt it immediately with DES-EDE3-CBC algorithm.

The above command is good for encrypting the key pair at the time of generation. How about encrypt a key pair previously generated? This could be done by the "rsa" command:

herong> openssl genrsa -out herong_rsa.key
Loading 'screen' into random state - done
Generating RSA private key, 512 bit long modulus
....++++++++++++
.++++++++++++
e is 65537 (0x10001)

herong> more herong_rsa.key
-----BEGIN RSA PRIVATE KEY-----
MIIBOwIBAAJBAKnmGcbuiAGG2XKek5LbVwF7AoT8HuNXXip7KyWevbrFlSxJWSjf
pmeGJo7/Nsw6hFwor28RyAy1wsW5BNYOXdECAwEAAQJAQsEsI6OZQLBRQ93Wsf8I
goZoiQPexwiO8TYPz+o9NeLELOzhYHiKuzOO5c2oVYXTSgM9IMCCo35fkzOlTdyj
oQIhANe/bnRWtO+7gSbcqmINtFW12pbkgzQ+SlQxp7HSNL3FAiEAyZjTrFGKlG9k
Ub4EcNFkWjIzOM/vHifYdmB/ZO9ZzJ0CIHEnEYMqxpLFQKNlMGdk0KPzUMW666VG
1iz6Lf1xRgARAiEAplhZiR27iKGlmKF/TowpDxfPFjjVaP+d6IfVdrbdVS0CIQCY
OHLGbU3QZn2VjSUH/BF4kP7cEPDngxbYiZ2+f2D77Q==
-----END RSA PRIVATE KEY-----

herong> openssl rsa -in herong_rsa.key -des -out herong_rsa_des.key
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

herong> more herong_rsa_des.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-CBC,C386818044590B20

10JtM182aDIEMcGLGHXC51woLVdcsYWAAp0tCI1NKJRy/ZBKQLs7gzgGD9ZFBA3D
eZ0W7CVT226yDNSAq/3G+st1cR3kfFmxO3cfT8DHKV4zJVLSRrKfklURp0SdfaB6
LLpbdz9OSwxYphVTBTQAaeLYBipZhyV5BJZeQH40b5S3SclHid5Bn3SaxmFIgRCp
X07GQkiVU+KLhW4Q2v7uV7qU/dlym7WAsxlw4vEw9EhLw2RTPGEC0IaTzPtgWnsE
wQcvS0gDg5C8sP/rpHdQcZFCqpt4+n9M/p1Ciz1d0DNYRefvZnmf9w/z02oT3KY+
nJxrL6kh2kYVUOQKSwlA4Swtt4lPy6gimg+1xG96+BnrG803FYQ23rlusCThg+yw
lHpltupnF9YW38dParIlLsxMxFRhRc8qNZSAwnBHP78=
-----END RSA PRIVATE KEY-----

Table of Contents

 About This Book

 Cryptography Terminology

 Cryptography Basic Concepts

 Introduction to AES (Advanced Encryption Standard)

 Introduction to DES Algorithm

 DES Algorithm - Illustrated with Java Programs

 DES Algorithm Java Implementation

 DES Algorithm - Java Implementation in JDK JCE

 DES Encryption Operation Modes

 DES in Stream Cipher Modes

 PHP Implementation of DES - mcrypt

 Blowfish - 8-Byte Block Cipher

 Secret Key Generation and Management

 Cipher - Secret Key Encryption and Decryption

 Introduction of RSA Algorithm

 RSA Implementation using java.math.BigInteger Class

 Introduction of DSA (Digital Signature Algorithm)

 Java Default Implementation of DSA

 Private key and Public Key Pair Generation

 PKCS#8/X.509 Private/Public Encoding Standards

 Cipher - Public Key Encryption and Decryption

 MD5 Mesasge Digest Algorithm

 SHA1 Mesasge Digest Algorithm

 OpenSSL Introduction and Installation

OpenSSL Generating and Managing RSA Keys

 Generating New RSA Key Pairs

 Viewing Components of RSA Keys

Encrypting RSA Keys

 OpenSSL Managing Certificates

 OpenSSL Generating and Signing CSR

 OpenSSL Validating Certificate Path

 "keytool" and "keystore" from JDK

 "OpenSSL" Signing CSR Generated by "keytool"

 Migrating Keys from "keystore" to "OpenSSL" Key Files

 Certificate X.509 Standard and DER/PEM Formats

 Migrating Keys from "OpenSSL" Key Files to "keystore"

 Using Certificates in IE

 Using Certificates in Google Chrome

 Using Certificates in Firefox

 Archived Tutorials

 References

 Full Version in PDF/EPUB