289

I generated an OpenSSH private key using PuTTYgen (and exported it in OpenSSH format).

How can I put a password on this existing key (I know how to generate a new key with a password)?

Eddie C.
  • 918
  • 10
  • 16
Conrad
  • 2,891
  • 2
  • 15
  • 3
  • 15
    If you see this comment, please mark one of the answers as accepted or write a comment saying what they missed. Thanks! – Benjamin Atkin Nov 18 '11 at 22:26
  • 1
    Add is the same as change or remove: http://stackoverflow.com/questions/112396/how-do-i-remove-the-passphrase-for-the-ssh-key-without-having-to-create-a-new-ke , possible same for change: http://serverfault.com/questions/50775/how-do-i-change-my-private-key-passphrase – Ciro Santilli OurBigBook.com Apr 02 '15 at 08:04
  • If you get ***`Bad passphrase`*** on an `id_ed25519` key but the password is correct, then you are probably using a down-level `ssh-keygen` to manage it. – jww Aug 27 '15 at 22:07

4 Answers4

481

Try the following command:

ssh-keygen -p -f keyfile

From the ssh-keygen man page

 -p      Requests changing the passphrase of a private key file instead of
         creating a new private key.  The program will prompt for the file
         containing the private key, for the old passphrase, and twice for
         the new passphrase.

 -f filename
         Specifies the filename of the key file.

Example:

ssh-keygen -p -f ~/.ssh/id_rsa
Eddie C.
  • 918
  • 10
  • 16
sigjuice
  • 28,661
  • 12
  • 68
  • 93
  • 10
    For those wanting to know what -f is: It specifies the input file. – Neikos Dec 11 '15 at 10:49
  • 4
    // , @sigjuice, would you please post an example, like `$ ssh-keygen -p -f /Users/sigjuice/.ssh/id_rsa`? This might help people who don't know how to tell the difference between a public and a private key, and help them get their feet wet faster. – Nathan Basanese Jul 06 '16 at 18:48
  • For some reason, on MacOS 10.14, this does not format the file with the `Proc-Type: 4,ENCRYPTED` header, which is incompatible with some applications checking for a passphrase. After trying several ways to get it to work, the easiest way to workaround it was just do this same thing inside a Docker container running Ubuntu and then copying the key back to my Mac. – ryanbrainard Jan 18 '19 at 03:44
  • 2
    I can still read my ssh private keys in clear text without entering any password, so I guess the above command is not enough!? (I don't want hackers to be able to read my private keys without knowing an extra password) – mcExchange May 31 '21 at 13:40
  • @mcExchange : if you did it correctly: the file should now have, under the "-----BEGIN RSA PRIVATE KEY-----" line, 2 lines indicating: the passphrase type, and the (encrypted) passphrase, then a blank line, and then the (ENCRYPTED) private key. The latest is unusable unless someone successfully decrypted it by knowing the passphrase. ie, 1) you need to enter the passphrase when asked, and only then can 2) the private key be used. (with NO passphrase (ex: you entered twice Return when prompted), there is only the UNENCRYPTED private key (without the first 3 lines), and it *IS* usable directly) – Olivier Dulac Mar 17 '22 at 10:16
45

Use the -p option to ssh-keygen. This allows you to change the password rather than generate a new key.

Change the password as sigjuice shows:

ssh-keygen -p -f ~/.ssh/id_rsa

The required password will be the new password. (This assumes you have added the public key ~/.ssh/id_rsa.pub to your authorized_keys files.) Test with ssh:

ssh -i ~/.ssh/id_rsa localhost

You can have multiple keys with different names for different uses.

gustafbstrom
  • 1,622
  • 4
  • 25
  • 44
BillThor
  • 7,306
  • 1
  • 26
  • 19
  • // , Would you please show an example, and how to check that the option has worked, @BillThor? – Nathan Basanese Jul 06 '16 at 18:49
  • I do not understand. The passphrase is set, I see when I try to change it again. But when I try to login to remote server it doesn't ask for this passphrase password, why? – Luka May 07 '18 at 16:51
  • 2
    It's fine. It asks once per session :) Didn't know that. – Luka May 07 '18 at 17:02
  • Does this mean you have to log out and in again? Closing the terminal window and re-opening it does not work for me. – Simon Hessner Jun 06 '18 at 21:50
  • 1
    You can type `ssh-add -D` to remove your cached identity. Then, try connecting again and it will ask you for your password. Use `ssh-add -l` to see a list of your cached identities. – Scott Nedderman Mar 26 '19 at 20:12
11

You can also use openssl:

openssl rsa -aes256 -in ~/.ssh/your_key -out ~/.ssh/your_key.enc
mv ~/.ssh/your_key.enc ~/.ssh/your_key
chmod 600 ~/.ssh/your_key

see: https://security.stackexchange.com/a/59164/194668

sharez
  • 1,347
  • 15
  • 15
-1

Because you've mentioned "PuTTYgen" and maybe you're using Windows , I'll direct you to the documentation for "PuTTYgen".

Go here [https://the.earth.li/~sgtatham/putty/0.76/htmldoc/Chapter8.html#puttygen-conversions] for "importing" and "exporting" a SSH private key. These are different to using "Load" and "Save" as those options are for loading and saving a Putty specific key file.

And here [https://the.earth.li/~sgtatham/putty/0.76/htmldoc/Chapter8.html#puttygen-passphrase] for changing the passphrase. Same thing you'd do when creating a passphrase for a new private key.

So steps are "import" the SSH key, you don't get asked for a passphrase because you didn't create one. Then change (set) the passphrase and confirm. Then "export" back out to the original private key file.

Hope that helps anyone else wanting to use "PuTTYgen" instead of "ssh-keygen".

ConceptRat
  • 1,079
  • 7
  • 4