Password protect a pem file

LampShade picture LampShade · Dec 1, 2017 · Viewed 12.1k times · Source

I'd like to SSH into my EC2 instance with a password protected pem file. How do I password protect a pem file? I've done this in the past but can't remember how I did it. I took a pem file generated by AWS and ran some command on it and it generated something that looked like this:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,<BlahBlahBlah>

<encrypted stuff is here>

-----END RSA PRIVATE KEY-----

Then when I SSH into the box, i'm specifying my password protected pem file and it asks me to enter the password before decrypting and sshing in.

I found this: https://martin.kleppmann.com/2013/05/24/improving-security-of-ssh-private-keys.html

Which tells me to use this command

ssh-keygen -t rsa -N 'super secret passphrase' -f test_rsa_key

But the resulting encrypted file (that has the correct header i'm looking for) doesn't seem to work. I'm getting "Permission denied (publickey)." when I try to ssh using that encrypted pem file. I am able to SSH into the box with the unencrypted pem file.

Answer

helloV picture helloV · Dec 2, 2017

It is because the command you are using generates a new key pair instead of protecting your existing private key.

Try using -p option of ssh-keygen

ssh-keygen -p -f my_private_key

It will prompt you for passphrase and protect your private key.

Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.

Now if you use my_private_key in ssh, it will prompt for passphrase and it will succeed.

 -p      Requests changing the passphrase of a private key file instead of
         creating a new private key.  The program will prompt for the file
         containing the private key, for the old passphrase, and twice for
         the new passphrase.