0

I am working on a system where I need to store an RSA private key on a server.

I intend to use OpenSSL to generate the private key and to apply a passphrase to it so that the private key is encrypted on the server.

Can anyone tell me what process OpenSSL uses to encrypt the private key? In other words, how does it use the passphrase to generate an encrypted version of the private key?

I believe that TripleDES is used here somehow to symmetrically encrypt the private key. Is there a salt added to the passphrase, or can a salt be added somehow to make it more secure?

Any advice that you can give would be much appreciated.

user1022788
  • 419
  • 8
  • 18
  • Could you please post the exact command(s) you are using to generate and encrypt the private key? – Maarten Bodewes Mar 04 '13 at 00:04
  • I am using the following command to generate the private key: openssl genrsa -des3 -out privkey.pem 2048 What I want to know is how the key generation process works. Specifically how the passphrase that I have entered during the key generation process gets converted into a 3DES key. Is there any salt used and what about an Initialisation Vector - what role does that play? I'm basically looking for a sequence of how an RSA private key gets generated and then encrypted using the provided passphrase. Thanks for your help. – user1022788 Mar 04 '13 at 00:39
  • Start tracing from here https://github.com/openssl/openssl/blob/master/apps/genrsa.c and you'll eventually get to `PEM_ASN1_write_bio`, which uses `EVP_BytesToKey` http://www.openssl.org/docs/crypto/EVP_BytesToKey.html. – indiv Mar 04 '13 at 00:59
  • Thanks for this. Can you explain to me in simple terms what the function of the Initialisation Vector is? Also where does the salt come from and where is it stored for future use? I am new to cryptography and I would like to understand what is happening here properly. – user1022788 Mar 04 '13 at 01:10

0 Answers0