Adding or Removing a Passphrase from an Existing OpenSSL Private Key
A private key generated without passphrase protection can have one added later using 'openssl rsa -aes256' without regenerating the key pair. Conversely, an existing passphrase can be removed by omitting the encryption flag from the same command. Both operations replace the original key file in-place and should be followed by restricting file permissions to 400.
Indicators
- Private key file exists without passphrase protection and security requirements have changed
- Automation or scripting pipeline requires an unencrypted private key and the current key is passphrase-protected
- Threat model reassessment demands stronger protection on an existing unencrypted private key
- Need to change key encryption without generating a new key pair or CSR
Likely causes
- Private key was generated without a passphrase at creation time
- Security requirements or compliance posture changed after initial key generation
- Automation or scripting needs require an unencrypted key to avoid interactive passphrase prompts
- Threat model reassessment identified an existing unprotected key as a risk
Diagnostic steps
-
Verify the current state of the private key — run `openssl rsa -in your.key -text -noout`. If prompted for a passphrase, the key is already encrypted. If it outputs key details without prompting, the key is unencrypted.
-
To ADD a passphrase with AES-256 encryption, run: `openssl rsa -aes256 -in your.key -out your.encrypted.key`. You will be prompted to enter and confirm a new passphrase. Avoid legacy algorithms such as -des or -des3.
-
Replace the original key file with the newly encrypted version: `mv your.encrypted.key your.key`
-
Restrict permissions on the key file to owner read-only: `chmod 400 your.key`
-
To REMOVE a passphrase from an encrypted key, run: `openssl rsa -in your.key -out your.open.key`. You will be prompted for the current passphrase one final time. Omitting any encryption flag causes the output to be written unencrypted.
-
Replace the original key with the unencrypted version and restrict permissions: `mv your.open.key your.key && chmod 400 your.key`
-
Verify the operation succeeded by re-running `openssl rsa -in your.key -text -noout` and confirming whether or not a passphrase prompt appears as expected.
Resolution path
- Determine whether you need to add or remove the passphrase from the existing private key
- Confirm the current encryption state with: `openssl rsa -in your.key -text -noout`
- To add a passphrase: run `openssl rsa -aes256 -in your.key -out your.encrypted.key`, enter and confirm the desired passphrase when prompted
- To remove a passphrase: run `openssl rsa -in your.key -out your.open.key`, enter the current passphrase when prompted
- Replace the original key file with the output file using `mv`
- Set restrictive file permissions with `chmod 400 your.key` to prevent unauthorised access
- Verify the operation by testing key access and confirming passphrase prompt behaviour matches expectations
Prevention
- Always protect private keys with a strong passphrase using a modern algorithm such as AES-256 at key creation time
- Avoid using weak or deprecated encryption algorithms such as DES or 3DES for private key protection
- Set file permissions to 400 on all private key files immediately after generation or modification
- Regularly reassess your threat model to ensure key protection aligns with current security requirements
- Prefer aes256 or camellia256 as the encryption cipher when protecting private key files
- Store encrypted private keys in secure, access-controlled locations with audit logging
- Where automation requires unencrypted keys, isolate those keys in tightly access-controlled service accounts and compensate with additional host-level controls
Tools
- openssl rsa
- mv (Unix file move/rename command)
- chmod (Unix file permission command)