Unable to encrypt private key using openssl - encryption

I have generate Rsa Key pairs using openssh. I want to encrypt private key with passphrase using openssl.
I tried to encrypt private key using openssl , but unable to do that as it is giving error message.
Used the below command to generate rsa key pair
ssh-keygen -t rsa -b 4096 -P ''-f ./Test-key
used below command to encrypt private key using openssl.
rsa -des3 -in C:\Users\vkode200\Test-key -out C:\Users\vkode200\Test-key-encrypted -passout pass:"${pass}"
I am getting below error message :
15764:error:0906D06C:PEM routines:PEM_read_bio:no start line:crypto\pem\pem_lib.c:686:Expecting: ANY PRIVATE KEY
error in rsa```
Below is the header of my generated private key
```-----BEGIN OPENSSH PRIVATE KEY-----```
I have no clue and i spent lot of time to figure out the issue, but no luck.

You can generate keys in old format by passing -m PEM:
ssh-keygen -t rsa -b 4096 -P '' -f ./Test-key -m PEM
Those should work fine with that openssl command.
If you need them in new format, you can make a copy a convert it in place with:
ssh-keygen -p -P '' -N '' -f ./Test-key -m PEM

Related

Verifying the password of generated x509 certificate

I have created a x509 certificate. There is a set of openssl commands I used to create it, for example the first command it:
openssl genrsa -passout pass:"$MYPWD" -out privkey.key 2048
where "$MYPWD" is an environment variable where I set the password. After executing this command, how would I check that the password is actually the value of MYPWD environment variable, and not just literally "$MYPWD"?
Thank you everyone in advance!
You must specify a cypher to encrypt the output.
openssl genrsa -aes256 -passout env:MYPWD -out privkey.key 2048
To verify that the password was actually set, simply read back the key:
openssl pkey -in privkey.key
You will see the password prompt.
You can also inspect the content of the privkey.key, "ENCRYPTED"... will be there.
cat privkey.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,3A2E02985A117F7266F9664420F685B2
...

Convert OpenSSH ED25519 Private Key Format to PEM format

I have generated a an ED25519 SSH key pair using
ssh-keygen -t ed25519
The output of the id_ed25519 file is in OpenSSH format:
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----
I would like to convert it to a PEM file format. If it were an RSA key pair, there would be no need for that as an RSA id_rsa key is already in a PEM file format but the ED25519 key pair is an OpenSSH format.
How can I convert this to a PEM file format?
Use
ssh-keygen -p -f path/to/your/key -m pem
to convert your key file to PEM, but be sure to make a backup of the file first.
Taking from https://github.com/pickware/github-action-ssh-agent
I think this would work:
openssl pkey -in ed25519.pem -out ed25519.pub -pubout
It does for a private key generated this way:
openssl genpkey -algorithm ed25519 > ed25519.pem
I haven't tested ssh-keygen's private key format explicitly but I would assume that it is using OpenSSL under the hood. If the private key's base64 starts with "MC", then I would say it probably would be compatible.

Decrypt .gpg/.pgp file without a prompt

I've decrypted a file successfully using:
gpg --encrypt --recipient user#company.com myfile.txt
If I run the command below, I'm prompted for a passphrase, and decryption works:
gpg --output decrypted_myfile.txt -decrypt myfile.txt.gpg
I can't seem to get any form of non-interactive decryption working. The closest I've come is:
gpg --decrypt --batch --passphrase MYPASSPHRASE myfile.txt.gpg
This gives me:
gpg: encrypted with 2048-bit RSA key, ID F6CF3C25, created 2016-03-17
"Company_20210316 (Incoming Files) <user#company.com>"
gpg: public key decryption failed: Bad passphrase
gpg: decryption failed: No secret key
Is there a different way to do it?
Having error like:
gpg: decryption failed: No secret key
simply means that you don't have a private or secret key in your gpg keyring. You may want to check first if:
gpg --list-secret-keys if it has a private key there and if not,
Import it and then trust it.
To trust, use:
gpg --key-edit <yourKey> then "trust" then "5" then "quit"
To get your keyID run:
gpg --edit-key <yourKey> then
On the first line you'll see: "Private key available"
Then two sub-keys on the left of the fist, you'll see similar to:
sec rsa2048/E7E43C5C844E2917
and the part on a right after slash - will be your
E7E43C5C844E2917
So to explicitly export from where it was generated, the key to a file, you need to use that like this:
gpg --export-secret-keys --armor E7E43C5C844E2917>yourSecretKey.asc
This will create a secret key in a file ONLY, unlike if you use keyname in the export call. Then it will contain more than that.
Then to import use:
gpg --import yourSecretKey.asc
Then check your key in the list updated. Add a trust if needed.
Then line to decrypt copied from terminal of my MAC and tested works, w/ no prompt:
gpg --batch --passphrase MyPassphrase -o test.tt7 -d CE.txt.gpg
NOTE that: -d is the same as --decrypt and
-o the same as --output
And the value of the passphrase is the actual value I used in my test to decrypt the above and not the variable. The same created during the time key generated, and actual recommendation is to use a longer set of characters but actually any number is accepted.
Having error like: gpg: decryption failed: No secret key simply means that you don't have a private or secret key in your gpg keyring. You may want to check first if gpg -k (same as gpg --list-keys) has a private key there and import it and then trust it,
To add trust, use "1 to 5":
gpg --key-edit <yourKey>
then trust then 5 then `quit
To get your keyID run:
gpg --edit-key <yourKey>
then first line you'll see: Private key available
then two sub-keys on the left of the fist you'll see
sec rsa2048/E7E43C5C844E2917
and the part on a right after slash - will be your <keyID> E7E43C5C844E2917
so, to explicitly export from where it was generated, the key to a file you need to use that like:
gpg --export-secret-keys --armor E7E43C5C844E2917>yourSecretKey.asc
this will create secret key in a file ONLY, unlike if you use keyname in the export call then it will contain more than that.
Then to import use:
gpg --import E7E43C5C844E2917
then check your key in the list updated. Add trust if needed.
Then line to decrypt copied from terminal of my MAC and tested works, w/ no prompt:
gpg --batch --passphrase MyPassphrase -o test.tt7 -d CE.txt.gpg
NOTE that: -d is the same as --decrypt just like -o is the same as --output
You can try this command:
gpg --output File.txt --batch--passphrase-fd YourPassword --decrypt file.pgp

Signing and Encrypting file via GnuPG encryption

I'm trying to sign and encrypt a text file via GnuPG encryption from a command line, but I'm getting the following error:
sign+encrypt failed: No secret key
I know very little about GnuPG. Our client gave me two OpenPGP keys with .asc file extensions. He said file 1 is to sign the file and file 2 is to encrypt it.
File1.asc (to sign the file) looked something like this:
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: PGP 7.0.1
(key code here)
-----END PGP PRIVATE KEY BLOCK-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 7.0.1
(key code here)
-----END PGP PUBLIC KEY BLOCK-----
File2.asc (to encrypt) looked like this:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP for Personal Privacy 5.0
(key code here)
-----END PGP PUBLIC KEY BLOCK-----
I then tried running GnuPG via command line with something like the following:
gpg -r [file ame of encryption key] -s -u [password client gave for signing] -o DirectoryWhereToOutputFile\sample.pgp -e DirectoryOfSampleFile\SampleFile
What do I need to change to get this to successfully sign and encrypt a file?
GnuPG does not use keys as files, you have to import them before and use their key IDs.
gpg --import [private-key]
gpg --import [public-key]
Then, use the key ID of the public key (the one to encrypt for):
gpg -r [key-id] -s -o [output-file] -e [input-file]
If you don't know the IDs, use gpg --list-keys to obtain a list of all known keys. gpg --list-secret-keys will only show those you have the private key for, thus the one you can use for signing.
In GnuPG, we generate keypair gpg --gen-key
Encrypt using shared/imported public key - gpg --recipient bob --encrypt filename
Decrypt using private key - gpg --decrypt sharedMessage.asc
Refer https://linux.101hacks.com/unix/gpg-command-examples/

How do you test a public/private DSA keypair? [closed]

Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 months ago.
The community reviewed whether to reopen this question 6 months ago and left it closed:
Original close reason(s) were not resolved
Improve this question
Is there an easy way to verify that a given private key matches a given public key? I have a few *.puband a few *.key files, and I need to check which go with which.
Again, these are pub/key files, DSA.
I would really prefer a one-liner of some sort...
I found a way that seems to work better for me:
ssh-keygen -y -f <private key file>
That command will output the public key for the given private key, so then just compare the output to each *.pub file.
I always compare an MD5 hash of the modulus using these commands:
Certificate: openssl x509 -noout -modulus -in server.crt | openssl md5
Private Key: openssl rsa -noout -modulus -in server.key | openssl md5
CSR: openssl req -noout -modulus -in server.csr | openssl md5
If the hashes match, then those two files go together.
For DSA keys, use
openssl dsa -pubin -in dsa.pub -modulus -noout
to print the public keys, then
openssl dsa -in dsa.key -modulus -noout
to display the public keys corresponding to a private key, then compare them.
Assuming you have the public keys inside X.509 certificates, and assuming they are RSA keys, then for each public key, do
openssl x509 -in certfile -modulus -noout
For each private key, do
openssl rsa -in keyfile -modulus -noout
Then match the keys by modulus.
The check can be made easier with diff:
diff <(ssh-keygen -y -f $private_key_file) $public_key_file
The only odd thing is that diff says nothing if the files are the same, so you'll only be told if the public and private don't match.
Enter the following command to check if a private key and public key are a matched set (identical) or not a matched set (differ) in $USER/.ssh directory. The cut command prevents the comment at the end of the line in the public key from being compared, allowing only the key to be compared.
ssh-keygen -y -f ~/.ssh/id_rsa | diff -s - <(cut -d ' ' -f 1,2 ~/.ssh/id_rsa.pub)
Output will look like either one of these lines.
Files - and /dev/fd/63 are identical
Files - and /dev/fd/63 differ
I wrote a shell script that users use to check file permission of their ~/.ssh/files and matched key set. It solves my challenges with user incidents setting up ssh. It may help you. https://github.com/BradleyA/docker-security-infrastructure/tree/master/ssh
Note: My previous answer (in Mar 2018) no longer works with the latest releases of openssh. Previous answer: diff -qs <(ssh-keygen -yf ~/.ssh/id_rsa) <(cut -d ' ' -f 1,2 ~/.ssh/id_rsa.pub)
Delete the public keys and generate new ones from the private keys. Keep them in separate directories, or use a naming convention to keep them straight.
If you are in Windows and want use a GUI, with puttygen you can import your private key into it:
Once imported, you can save its public key and compare it to yours.
The easiest is to compare fingerprints as the public and private keys have the same. Visual comparison is pretty easy by putting the two commands on same line:
ssh-keygen -l -f PRIVATE_KEY; ssh-keygen -l -f PUBLIC_KEY
Programmatically, you'll want to ignore the comment portion so
diff -s <(ssh-keygen -l -f PRIVATE_KEY | cut -d' ' -f2) <(ssh-keygen -l -f PUBLIC_KEY | cut -d' ' -f2)
A simple script to check matching of the keys with 3 options:
#!/bin/bash
PRKEY=mysshkey
PUKEY=mysshkey.pub
echo "1. OUTPUT"
diff <( ssh-keygen -y -e -f "${PRKEY}" ) <( ssh-keygen -y -e -f "${PUKEY}")
echo -e "\n"
echo "2. OUTPUT"
diff <( cut -d' ' -f 2 ${PUKEY} ) <( ssh-keygen -y -f "${PRKEY}" | cut -d' ' -f 2)
echo -e "\n"
echo "3. OUTPUT"
DIFF=$(diff <( cut -d' ' -f 2 ${PUKEY} ) <( ssh-keygen -y -f "${PRKEY}" | cut -d' ' -f 2) )
if [ "$DIFF" != "" ]; then
echo "ERROR KEY"
else
echo "TRUE KEY"
fi
If they keys not match you will get an output for output 1 and 2.
If they keys match you get no output.
Output 3 show's a message if keys fit or not.
Encrypt something with the public key, and see which private key decrypts it.
This Code Project article by none other than Jeff Atwood implements a simplified wrapper around the .NET cryptography classes. Assuming these keys were created for use with RSA, use the asymmetric class with your public key to encrypt, and the same with your private key to decrypt.
If it returns nothing, then they match:
cat $HOME/.ssh/id_rsa.pub >> $HOME/.ssh/authorized_keys
ssh -i $HOME/.ssh/id_rsa localhost
This answer should contain a warning:
https://stackoverflow.com/a/67423640/1312559
WARNING! If the public and private key are in the same directory, the fingerprint is calculated for the public key even though the private key is given as a parameter.
-l' Show fingerprint of specified public key file. Private RSA1 keys are also supported. For RSA and DSA keys ssh-keygen tries to find the matching public key file and prints its fingerprint.
Unfortunately I don't have the reputation to comment.
Just use puttygen and load your private key into it. It offers different options, e.g. exporting the corresponding public key.

Resources