0

I generated a password protected key by command openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-256 --out ca.key -text -aes-256-cbc. The passphrase is "rrrr" (this example is a throwaway), and the output is:

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHsMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAi+VEL8/UzdpQICCAAw
DAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEHpyCWa1fjYAkJj3lrmvSHQEgZDK
VPcbj7CDX0tqL+ZmorVz9xpUzdQvYZOSD+G292+QCDBytOy30ZRGjyDWFlwESSVq
R1S8kmyAQn1PIfqF9ZcubnNxCv3i9Qd7Md7GXet+1NkuoZ9EbtLnXBYW6Wb7v4Uv
q6UR+SxrydElw2zwG4QZrgOe3pWLRBaR5bvihc+aGMALPxq44hHJKuxWxqRMSuM=
-----END ENCRYPTED PRIVATE KEY-----
Private-Key: (256 bit)
priv:
    3a:e6:80:81:fb:41:c6:33:4c:b3:e5:2d:51:2b:d3:
    e7:7f:ab:31:c6:f1:aa:de:b3:c1:9c:e2:08:1d:a5:
    59:70
pub:
    04:a9:e0:86:90:b7:e3:f2:d5:34:f2:4d:37:fe:bb:
    5f:fb:85:a9:f0:da:88:b5:5c:12:05:26:f1:29:16:
    1b:09:01:1f:a2:aa:54:82:02:1e:3e:f8:f8:df:30:
    3f:5a:2c:50:9b:93:35:fc:e0:63:c4:71:b8:ad:d6:
    5f:11:9a:ce:0d
ASN1 OID: prime256v1
NIST CURVE: P-256

What does the "priv" mean here? Is it the private key in plaintext? That would be shocking. Is it some hash?

Siyuan Ren
  • 103
  • 2

1 Answers1

3

Yes, it is the private key.

This is because you have included the -text in your openssl genpkey(1) command.

-text

Print an (unencrypted) text representation of private and public keys and parameters along with the PEM or DER structure.

Please remove it:

$ openssl genpkey -algorithm ec \
    -pkeyopt ec_paramgen_curve:P-256 \
    --out ca.key -aes-256-cbc
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

Now, the ca.key does not have the text output at the end:

$ cat ca.key 
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHsMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAi+VEL8/UzdpQICCAAw
DAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEHpyCWa1fjYAkJj3lrmvSHQEgZDK
VPcbj7CDX0tqL+ZmorVz9xpUzdQvYZOSD+G292+QCDBytOy30ZRGjyDWFlwESSVq
R1S8kmyAQn1PIfqF9ZcubnNxCv3i9Qd7Md7GXet+1NkuoZ9EbtLnXBYW6Wb7v4Uv
q6UR+SxrydElw2zwG4QZrgOe3pWLRBaR5bvihc+aGMALPxq44hHJKuxWxqRMSuM=
-----END ENCRYPTED PRIVATE KEY-----

You can still get it with the passphrase, though:

$ openssl pkey --in ca.key --text
Enter pass phrase for ca.key:
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgOuaAgftBxjNMs+Ut
USvT53+rMcbxqt6zwZziCB2lWXChRANCAASp4IaQt+Py1TTyTTf+u1/7hanw2oi1
XBIFJvEpFhsJAR+iqlSCAh4++PjfMD9aLFCbkzX84GPEcbit1l8Rms4N
-----END PRIVATE KEY-----
Private-Key: (256 bit)
priv:
    3a:e6:80:81:fb:41:c6:33:4c:b3:e5:2d:51:2b:d3:
    e7:7f:ab:31:c6:f1:aa:de:b3:c1:9c:e2:08:1d:a5:
    59:70
pub:
    04:a9:e0:86:90:b7:e3:f2:d5:34:f2:4d:37:fe:bb:
    5f:fb:85:a9:f0:da:88:b5:5c:12:05:26:f1:29:16:
    1b:09:01:1f:a2:aa:54:82:02:1e:3e:f8:f8:df:30:
    3f:5a:2c:50:9b:93:35:fc:e0:63:c4:71:b8:ad:d6:
    5f:11:9a:ce:0d
ASN1 OID: prime256v1
NIST CURVE: P-256
Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129