If you do not use a passphrase, then the private key is not encrypted with any symmetric encryption - it is displayed completely insecure.
You can create a key pair by supplying a password on the command line using a similar call (in this case the foobar password):
openssl genrsa -aes128 -passout pass:foobar 3072
However, note that this passphrase can be captured by any other process running on the machine at that time, since command line arguments are usually visible to all processes.
The best alternative is to write the passphrase into a temporary file that is protected by file permissions, and indicate that:
openssl genrsa -aes128 -passout file:passphrase.txt 3072
Or enter a passphrase on standard input:
openssl genrsa -aes128 -passout stdin 3072
You can also use a named pipe with the file: parameter or a file descriptor.
To then obtain the corresponding public key, you need to use openssl rsa , providing the same passphrase with the -passin parameter that was used to encrypt the private key:
openssl rsa -passin file:passphrase.txt -pubout
(This expects an encrypted private key on standard input - instead, you can read it from a file using -in <file> ).
An example of creating a pair of folders and a shared key of 3072 bits in files with a private key password encrypted with foobar password:
openssl genrsa -aes128 -passout pass:foobar -out privkey.pem 3072 openssl rsa -in privkey.pem -passin pass:foobar -pubout -out privkey.pub
caf Nov 29 '10 at 2:30 2010-11-29 02:30
source share