According to this:
How do I change my private key passphrase?
it is possible to change your private RSA/DSA key passphrase any time. Is there a way to generate a key with a passphrase that is set once and can not be altered?
Asked
Active
Viewed 213 times
-2
-
If you wanted to have an unchangeable private key, then you would probably need to consider looking at hardware based keys. IE a private key exists on a physical token. – Zoredache May 19 '19 at 05:56
1 Answers
1
No, and the question doesn't make sense either. There is no reason for this. A private key is just that.
Michael Hampton
- 237,123
- 42
- 477
- 940
-
It certainly does make sense in some contexts - for example, in the context of ensuring a certain security posture - such as a private key with a mandated passphrase. That makes the mere theft of that private key of little advantage to the bad guy as he is still one authentication factor short of success. – Boris Epstein May 19 '19 at 18:00
-
No, you don't "mandate" a passphrase. That's something that stays in your head and is never shared with anyone. Your proposal is a frightening loss of security. – Michael Hampton May 19 '19 at 18:01
-
@BorisEpstein I wouldn't consider the password on a private key a different factor from the private key itself. I understand that one issue with a user changing their own private key password is they may make it insecure (mom's birthday) or remove it entirely, but perhaps a better solution would be adding a password factor to the login system itself that /can/ be regulated, since this simply isn't possible or advisable for a private key. – persona15 May 19 '19 at 19:52