Score:1

RSA Key Generation & encrypted output using OpenSSL

cr flag

When is it generally acceptable, if ever, to generate RSA keys without encrypting the PEM output with another encryption algorithm?

I am working on a CI/CD process and want to leverage asymmetric encryption, but not entirely sure whether or not it is safe to generate the RSA keys without encrypting the output. At the moment I am generating the private key and extracting the public key using the following:

openssl genrsa -out key.pem 4096
openssl rsa -in key.pem -outform PEM -pubout -out public.pem

I then store the content of key.pem in a secure place within the platform I am working in and subsequently securely delete key.pem from my machine. Is this generally acceptable, or should I be generating the keys using something like the following and dealing with the passphrase?

openssl genrsa -aes256 -out key.pem -passout pass:some_passphrase 4096
fgrieu avatar
ng flag
This seems to be a question of key management policy (rather than cryptography), and more suitable for [security-SE](https://security.stackexchange.com). Do you want me to migrate the question there? Please check first if they already have something similar, perhaps tagged [key-management](https://security.stackexchange.com/questions/tagged/key-management) or [corporate-policy](https://security.stackexchange.com/questions/tagged/corporate-policy).
Johnny Bass avatar
cr flag
@fgrieu thank you so much for the reply Looks like I found two similar posts that basically answer my questions on [security.se] and in my case if the key was compromised the password would probably be compromised as well so I think it is not entirely necessary in my particular scenario
fgrieu avatar
ng flag
If the question is no longer needed, it's best to close or delete it. Otherwise it could get downvoted (as a countermeasure against it popping-up periodically).
Maarten Bodewes avatar
in flag
@JohnnyBass Simply said, encryption of the private key is necessary if you think that an attacker can access the private key data. You'd have to encrypt it by a key or password that is harder to access by an attacker (that has access to said private key data) for it to be more secure. If you can create a private key in a hardware device (HSM, smart card, TPM etc.) or OS-backed key store than that should definitely be considered over encryption "in software".
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.