On Tue, Sep 24, 2024 at 01:43:43PM -0400, Robert Moskowitz wrote:
> Right now I want to use openssl command line to be able to take as
> input an unecrypted PEM Keyfile (EdDSA) and output it password
> protected.
>
> I have created the keyfile in python using:
>
> f.write(private_key.private_bytes(
> encoding=serialization.Encoding.PEM,
> format=serialization.PrivateFormat.PKCS8,
> encryption_algorithm=serialization.NoEncryption(),
> ))
>
> I have found that to have written it encrypted, that should be
>
> encryption_algorithm=serialization.BestAvailableEncryption(b'xyz'))
>
> But I want to be able to work this out step by step, adding the encryption
> of the PEM keyfile.
Are you looking for help with the Python API, or the OpenSSL
command-line? Perhaps there's a better forum for help with the
Python API?
> Thus the desire to take an existing unprotected PEM and put out a password
> protected one that I can read in to another script.
>
> Looked all over in the docs and asked Dr. Google, but my search foo is still
> weak and not finding this out.
>
> Would someone point the way for me? :)
The "openssl genpkey" command has a "-<cipher>" option, where <cipher>
is the name of the one of the EVP encryption algorithms, say
"aes-128-cbc", ...
$ openssl genpkey -algorithm ed25519
-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIByaUJVa2ZMoXYz/xPpQfQle6Shg0bjzXy5ZN6IxqKEB
-----END PRIVATE KEY-----
$ openssl genpkey -algorithm ed25519 -aes-128-cbc
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIGbMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAhcqj+s5kb1CQICCAAw
DAYIKoZIhvcNAgkFADAdBglghkgBZQMEAQIEEBH0i7XariZNZwrYvnp0/n8EQLw/
syV97eF0VjcwYRcvM8uuC7MuJZb/q7xCDACD5gHWK0st0QVb7PlJpSA3e3PJ4bae
nyzLRcituSx1KLMLXrM=
-----END ENCRYPTED PRIVATE KEY-----
Or in two steps:
$ openssl genpkey -algorithm ed25519 | openssl pkey -aes-128-cbc
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIGbMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAgUKiNRdwGFmgICCAAw
DAYIKoZIhvcNAgkFADAdBglghkgBZQMEAQIEEJx+3f5TpnYWL9QeDsK4kuwEQDkI
IWwhA9pdGDcKHCtNY2veeOw+hndZUNEWof1mvWOHn27Cj5TlOdS4Gc8NRlCH3Rae
dLAPESBcQnBSyMRIYLY=
-----END ENCRYPTED PRIVATE KEY-----
--
Viktor.
--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx.
To view this discussion on the web visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/ZvV_S4fVesNHpOmn%40chardros.imrryr.org.
