Skip to content

Decrypt a private key OpenSSL

  • by
Decrypt a private key OpenSSL

1. Overview

When you decrypt a private key using OpenSSL, it allows you to convert an encrypted private key file (usually in a pem format) into a format where the key is readable without encryption. This operation is sensitive, so it’s important to ensure you handle the private key securely.

Let’s explore the step-by-step guide on how to decrypt a private key with OpenSSL.

2. OpenSSL

2.1. Prerequisite:

To begin with, you must have the OpenSSL executable on your machine. If you already have Git installed, look for the openssl exe (Git\usr\bin\openssl.exe) that comes inside your Git.

  1. OpenSSL installed on your system.
  2. The encrypted private key file (usually in PEM format).
  3. The passphrase used to encrypt the private key.

The encrypted private key file has the below header and footer lines:

-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----

3. Decrypt a private key using OpenSSL

You can use the following OpenSSL command to decrypt the RSA private key. Refer to the next section 4 for decrypting ECC / EC private key. Replace encrypted_key.pem with the path to your encrypted private key file and decrypted_key.pem with the path where you want to save the decrypted key.

openssl rsa -in encrypted_key.pem -out decrypted_key.pem
  • -in encrypted_key.pem specifies the input file (your encrypted private key).
  • -out decrypted_key.pem specifies the output file (where you want to save the decrypted key).

When prompted, enter the passphrase used to encrypt the private key. 

openssl rsa -in encrypted_key.pem -out decrypted_key.pem
> changeit

If the above command seems to be stuck or not responding as expected, there are several causes and solutions to consider. As a first solution, specify the passphrase directly in the command using the -passin option (Refer the below 3.1 section). If it didn’t work, here’s the article on the troubleshooting steps.

3.1. Additional Options in decrypt a private key

Specify Passphrase Directly (Not Recommended for Security Reasons): You can use the command option -passin pass:<passphrase> to specify the passphrase directly in the command. 

openssl rsa -in <encrypted_key.pem> -out <decrypted_key.pem> -passin pass:<your pass phrase>

For automation or scripting, you must avoid the passphrase directly. Be cautious, as this can expose sensitive information and advise you to avoid the below method of specifying the passphase directly in the script because of security risks.

The file specified in -out (e.g., decrypted_key.pem) will contain the decrypted private key. Ensure to store it securely.

Use Passphrase from a File: If you prefer to store the passphrase in a file for automated scripts, you can do so by using the command option -passin with the file: prefix followed by the filename:

openssl rsa -in encrypted_key.pem -out decrypted_key.pem -passin file:passphrase.txt

Save the passphrase in a file, e.g., passphrase.txt.

You can view details of your private key with:

openssl rsa -in decrypted_key.pem -text -noout

4. Decrypt an EC private key

The OpenSSL ec command processes EC keys and uses the private key format specified in ‘Elliptic Curve Cryptography‘. 

openssl ec -in <encrypted_key.pem> -out <decrypted_key.pem> -passin pass:<your pass phrase>
read EC key
Writing EC key

The decrypted PEM private key final format looks like below with the header and footer lines:

-----BEGIN EC PRIVATE KEY-----
-----END EC PRIVATE KEY-----

To convert an OpenSSL EC private key into the PKCS#8 private key format use the pkcs8 command.

5. Conclusion

This should cover the basics of decrypting a private key with OpenSSL. To learn more about SSL topics, please refer to these articles.

Leave a Reply

Your email address will not be published. Required fields are marked *