1

I created an ssh key with the command ssh-keygen -t rsa -b 4096 -C "myname@myemail.com".

I put a passphrase.

It created two files : id_rsa and id_rsa.pub .

I am surprised because, when I do less id_rsa , I can read the key without there being a request for my passphrase. There is no word "encrypted" in the text.

I thought it was possible because the passphrase was not requested for me and only me but, if I copy the id_rsa file in the /home of another user, the result is the same: this user can see the key and the word "encrypted" does not appear.

I specify that I had to give reading rights with chmod but I don't understand: why the passphrase is not requested?

Thank you a lot!

Beretta
  • 35
  • 6
  • 3
    *"... There is no word "encrypted" in the text...."* - strange. If I use this command and enter a passphrase when generating the key then the beginning of the key file looks like this `-----BEGIN RSA PRIVATE KEY-----\n Proc-Type: 4,ENCRYPTED`, i.e. there is a clear sign that the key is encrypted. Of course it will ask for the passphrase only when the key needs to be used and not when viewing the encrypted key with `less` since the key is encrypted and not the key file. – Steffen Ullrich Nov 29 '19 at 16:47
  • Yes it seemed to me that it should be written ```Proc-Type: 4,ENCRYPTED```, that's what I read on different websites and that's what seems odd to me... If you can read the key with ```less``` then security seems reduced, no? – Beretta Nov 29 '19 at 18:32
  • 1
    You are confused by the difference between the 'old' formats formerly used by **OpenSSH and its 'new' format**; most websites (including some Stack Qs) haven't been updated. See https://security.stackexchange.com/questions/200935/how-do-i-determine-if-an-existing-ssh-private-key-is-secure which by coincidence I was just prompted to improve yesterday – dave_thompson_085 Nov 30 '19 at 04:51

1 Answers1

7

You don't need the passphrase to read the file, just use it. If you created it with a passphrase then it is encrypted. However, the difference between a private key and an encrypted private key are invisible to the naked eye - both are effectively random bytes/strings.

As a result, you can't necessarily tell that it is encrypted just by looking at the file. You can't use it without the password though, which is the important part.

With older file formats, the presence of a key was visible as you say. The new OpenSSH encrypted private key format does not indicate in a human-readable way whether or not there is a passphrase. Therefore, the easiest way to verify if the file has a passphrase or not is by trying to actually do something with it. As a simple test just run:

ssh-keygen -yf /path/to/private/key

If it asks you for a passphrase then the private key has one. If it doesn't then there is no passphrase.

Riking
  • 304
  • 1
  • 9
Conor Mancone
  • 30,380
  • 13
  • 92
  • 98
  • Thank you Conor. I read on different websites that it must be written ```Proc-Type: 4,ENCRYPTED``` with a passphrase and i don't understand why it's just ```BEGIN OPENSSH PRIVATE KEY```. I understand what you say about the fact that we can not see if the file is encrypted or not because they are random data. That's why, for me, the word encrypted is important...Is it because it's openssh? – Beretta Nov 29 '19 at 18:39
  • @Beretta see my update – Conor Mancone Nov 29 '19 at 19:08