What's the most compact way to store a password-protected RSA key?

Question

I've tried converting a PEM-encoded key to DER format, and it appears the password is stripped regardless of the -passout argument.

Example:

openssl rsa -in tmp.pem -outform DER -out tmp.der -passin pass:foo -passout pass:bar -des3

The resulting key appears no longer password-protected, so I am assuming that DER format does not support a password - is that correct?

What alternative way is there to store this in a compact, binary form, and keep the password-protection?

score 1 · Accepted Answer · answered Jan 05 '11 at 10:52

In fact, the -passout is ignored. Last sentence of the help for -des3 in the man-page is

These options can only be used with PEM format output files.

OpenSSL's utilities just don't deal with keys in non-PEM format.

For the length of a key, why do you care whether or not base64 has made it 1/3 longer? For most file-systems, this will still be less than one block, so there will be no actual change in the amount of disk-space used.

What's the most compact way to store a password-protected RSA key?

1 Answers1