I have this command:
openssl genrsa -des3 -out host.key 1024
It asks me for a password, and I want to automate it! How I can make it read the password from a text file (host.pass) so it will not ask me, or have it ignore the password? Which approach is better?
Have a look at the manpage of openssl and genrsa. According to these you can use the option -passout file:host.pass.
By omimtting -des3 you won't be prompted for a passphrase (i.e. the key will not be encrypted).
Related
Currently, I am supplying the password in plaintext format as below:
openssl genrsa -aes128 -passout pass:foobar 3072
Where foobar is the password supplied in plaintext format .
I want to supply the password using some encrypted format or any other way such that its not easily readable .
If you indeed did supply the password in an encrypted format as you are requesting, how will provide the encryption key which was used to encrypt the said password to OpenSSL so that OpenSSL can decrypt it and use the correct password?
The password which you are providing to OpenSSL, I assume, is used by OpenSSL to encrypt the RSA Private Key which will be generated. If this is indeed the password which you want OpenSSL to use, then it has to be given in plaintext.
If you are worried that it might be seen by someone, you need to ensure that it is entered in a secure way. But, "encrypted password" is not the solution, as you might end up with a complication of protecting the encryption key for the password itself.
Usually, the password should be passed via openssl prompt (i.e.: removing the -passout pass:foobar argument).
If you're passing the password via command line because you have to use it in another part of the script, you can use the example below:
echo -n Password:
read -s PASS
openssl genrsa -out keypair.pem -aes128 -passout pass:${PASS}
opnessl req -new -key keypair.pem -passin pass:${PASS}
However, if you really need to generate keys without user interaction, you can use the example bellow, but I wouldn't recommend it for any production environment.
Create a script (e.g.: auto_key_gen.sh) containing the code bellow:
PASS=`openssl rand -hex 16`
openssl genrsa -out auto_keypair.pem -aes128 -passout pass:${PASS}
echo -n ${PASS} | openssl rsautl -encrypt -pubin -inkey $1 -out encrypted_pass.bin
Generate a personal keypair and extract the public key:
openssl genrsa -out mykeypair.pem -aes128
openssl rsa -in mykeypair.pem -out mypubkey.pem -pubout
Keep the personal keypair somewhere safe. The personal public key, you use to run the script:
chmod +x auto_key_gen.sh
./auto_key_gen.sh mypubkey.pem
The script generates a random password and uses it to encrypt the generated key pair (auto_keypair.pem). The password is encrypted with your personal public key and saved in a file (encrypted_pass.bin).
The script can keep the password in "memory" to use with other openssl commands.
You can retrieve the encrypted password using your personal keypair:
openssl rsautl -decrypt -inkey mykeypair.pem -in encrypted_pass.bin -out decrypted_pass.hex
Both the script and the public key must be protected against unauthorized modification.
I am needing to automate the generation of self signed SSL certificates for testing purposes for a project. I am generating a certificate and key using the following OpenSSL command:
> openssl req -x509 -newkey rsa:2048 -keyout myserver.key -out myserver.crt -subj "/C=US/ST=California/L=San Diego/O=Development/OU=Dev/CN=example.com"
During generation you are prompted to create a PEM pass phrase:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
How can I automate this? I have tried the -passin argument like this:
openssl ...... -passin pass:foobar .....
also
openssl ...... -passin file:secretfile.txt .....
But in both cases it still asks for to create a PEM pass phrase. From what I read I think that passin is only adding a password to the key file...
Is it possible to automate this somehow?
The process creates a password protected key file. It thus needs a password which gets used to store this output file. But the -passin argument you use is for reading an input file. From the documentation:
-passin arg - the input file password source
Instead you need the proper option to specify the output password, i.e.
-passout arg - the output file password source
I have a piece of embedded software generating P12/PFX formatted output data.
The PFX is not password protected, that means instead of using a password-derived encryption/mac key the data is encrypted with a public key and signed with my private key.
In RFC7292 section 3.1 this is called public-key privacy and integrity modes.
My question is, how can I validate the PFX I receive, e.g. using openssl? (I'm not restricted to use openssl, by the way I google'd around but could not find a way...)
I tried
openssl pkcs12 -info -in test.pfx
but openssl requests a password, which is not applicable here. Did I miss any option to not being asked for a password?
openssl pkcs12 -info -in test.pfx -passin pass: -passout pass:
Alternatively, you can just use
openssl pkcs12 -info -in test.pfx
and when it asks for Import Password or PEM Pass Phrase (and you didn't use any while generating the pfx file), just press Enter.
openssl pkcs12 -in keyStoreWithoutPW.p12 -info -passin pass: -passout pass:
I'm following Heroku's documentation to generate a private key for an SSL certificate.
When I execute the command openssl genrsa -des3 -out server.pass.key 2048, I get the following result:
$ openssl genrsa -des3 -out server.pass.key 2048
Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
..........................+++
..................................................+++
I can't get to the prompt where I'm supposed to enter the passphrase for the keys.
I don't understand why OpenSSL fails to complete. I've generated keys without triple DES, so I guess the error is in the encryption. How can I get this solved?
I saw this exact symptom in a Git for Windows shell.
It might be that it gets stuck trying to ask for a password but can't.
So as suggested here I added -passout pass:MyPassword and it worked.
I'm trying to find a way to decrypt an encrypted file on a 'virgin' EC2-instance. These EC-instances I use (Ubuntu Lucid) only hold my AWS-created public ssh-key. If can use this to decrypt a file, I can feed it encrypted files (for example a bash-script holding a password to my subversion-repository).
So, my question, can I use my ssh-key to encrypt/decrypt a file?
The file:
echo 'This is a sekret' >/tmp/msg.txt
Export public key (in case you don't have it/lose it):
openssl rsa -in ~/private.pem -out /tmp/public.pub -outform PEM -pubout
Encrypt file with public key (anyone can have this key):
openssl rsautl -encrypt -inkey /tmp/public.pub -pubin -in /tmp/msg.txt -out /tmp/file.enc
Decrypt the file with private key (only you should have the private key):
openssl rsautl -decrypt -inkey ~/private.pem -in /tmp/file.enc -out /tmp/decrypted.txt
The decoded message:
cat /tmp/decrypted.txt
You can use a public key to encrypt a file but you will need the corresponding private key to decrypt it. So, yes, you should be able to use your ssh-key to encrypt/decrypt a file, as long as you have access to both the public and private key.
If you just want to encrypt/decrypt using your ssh keys, ssh-vault could be useful, more info here: http://ssh-vault.com/about/