Encrypt, the hard way - a caveat

TL;DR

One thing to look out for when using Encrypt, the hard way.

In post Encrypt, the hard way we saw that it’s possible to use OpenSSH RSA keys from OpenSSL to implement a working encryption and decryption chain. Might be fun.

It’s anyway possible to hit the following error while decrypting via the asymmetric algorithm:

# Get the symmetric encryption key back first, using the private
# SSH RSA key
$ openssl rsautl -decrypt -oaep -inkey ~/.ssh/id_rsa \
    -in random-key-stuff.enc -out random-key-stuff.dec

... yadda yadda yadda...:Expecting: ANY PRIVATE KEY

Well, ~/.ssh/id_rsa is a RSA PRIVATE KEY:

-----BEGIN OPENSSH PRIVATE KEY-----
...

What gives?

It turns out that the format with which the key was saved is not useable by OpenSSL (well, my version of OpenSSL at least) and I have to save it in a slightly different format to make it acceptable.

So thanks to this answer:

# let's work in the SSH directory for my user
$ cd ~/.ssh

# let's also remain on the safe side, just in case...
$ cp id_rsa id_rsa.save

# we're passphrase-protecting our keys, right? RIGHT?!?
$ ssh-keygen -p -f id_rsa -m PEM

At this point we’re asked for the old passphrase (to decrypt the current contents of id_rsa into a useable private key) and a new passphrase twice, to re-encrypt the private key with it. We end up with a file that starts differently:

$ head id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-...
...

Now this key can make my OpenSSL happy and willing to work properly… thanks!

Stay safe everyone!


Comments? Octodon, Twitter, GitHub, Reddit, or drop me a line!