32

I have got a file myfile-privkey.pem.

How do I check if the private key file is password protected using ssh-keygen?

Wojtek
  • 455
  • 1
  • 4
  • 6

4 Answers4

32

ssh-keygen -y -f myfile-privkey.pem

If the key is password protected, you will see a "password:" prompt.

The flags in this command are:

-y Read private key file and print public key.
-f Filename of the key file.

As extra guidance, always check the command someone, especially online, is telling you to use when dealing with your private keys.

M1ke
  • 175
  • 1
  • 10
dmourati
  • 24,720
  • 2
  • 40
  • 69
  • 2
    I wish more people would actually explain the flags like it's done here :) – Martin Nielsen Sep 26 '16 at 08:27
  • 1
    If the goal is NOT to pause to actually ask for a password, but just test if the key is encrypted, I would include a few more things (and test status)... SSH_ASKPASS= ssh-keygen &/dev/null -y -f key.pem – anthony Jan 27 '21 at 06:14
18

It is pretty easy to see if an SSH key has been encrypted. Simply look for the Proc-Type: 4,ENCRYPTED in the body. Here are a few example keys in various forms.

RSA with password

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,AF51A101888567A12C6E384AFBD2B963

AAp6xVAtPP/qmr8T1WjAac8jjfQmToW8Hd4ik95zA/fkH2SJgy7hwuyl1AuVyQuq

RSA without password

-----BEGIN RSA PRIVATE KEY-----
MIIJJwIBAAKCAgEAwwXQEPzdutisd8Wl/TSNrp4HVnY7R87at30OiN46GcPPcV6q

DSA with password

-----BEGIN DSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2B9F1E1503F57CCC663397AB03CBF3F9

MVJ+F/AoJKW/XGtx0N2yrmLfJc276XIZzGYHRuCHmxUXlRkWpmi9gSUO8bNWgymf

DSA without password

-----BEGIN DSA PRIVATE KEY-----
MIIBuwIBAAKBgQD1qn6U7ve6yqHTu1XuiOyF/9A+n3MJFXNrTt9jHg7Pn5zssqwO

ECDSA with password

-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,5A3BB12B9B9E17A9A569001A0498969D

LrGoz5tXNI4KMxx7zb1H6beJZ8kEwc2FLLglD0kNzilTLeNMooC1NoMNhRD9XCo6

ECDSA without password

-----BEGIN EC PRIVATE KEY-----
MHcCAQEEILU3EwLQa2rSZdIMkbiE5VDrjlcoeJEF5IsYfGy0Hz4JoAoGCCqGSM49
AwEHoUQDQgAEHJCNvU9hVeByhp9CpSmvHphb82iSp52pL0ZJqVvqFY/swXPB1NMU
Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • 4
    Checking for “Proc-Type: 4,ENCRYPTED” works for traditional encrypted keys, but it doesn’t show up in the new OpenSSH private key format (that starts with `-----BEGIN OPENSSH PRIVATE KEY-----`) — [more details here](http://www.tedunangst.com/flak/post/new-openssh-key-format-and-bcrypt-pbkdf). – Honore Doktorr Aug 21 '16 at 21:17
8

If the following command asks for the key then it is password protected.

openssl rsa -in myfile-privkey.pem -noout
Stone
  • 6,941
  • 1
  • 19
  • 33
6

If is not protected, you can setup the password:

ssh-keygen -p -P "" -N "strong-password" -f unprotected.pem
Andy
  • 344
  • 1
  • 8