{"id":7624,"date":"2013-07-24T13:00:22","date_gmt":"2013-07-24T18:00:22","guid":{"rendered":"http:\/\/mjtsai.com\/blog\/?p=7624"},"modified":"2013-07-24T13:00:22","modified_gmt":"2013-07-24T18:00:22","slug":"improving-the-security-of-your-ssh-private-key-files","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2013\/07\/24\/improving-the-security-of-your-ssh-private-key-files\/","title":{"rendered":"Improving the Security of Your SSH Private Key Files"},"content":{"rendered":"<p><a href=\"http:\/\/martin.kleppmann.com\/2013\/05\/24\/improving-security-of-ssh-private-keys.html\">Martin Kleppmann<\/a> (via <a href=\"https:\/\/twitter.com\/mjdominus\/status\/357944451777298432\">Mark Jason Dominus<\/a>):<\/p>\n<blockquote cite=\"http:\/\/martin.kleppmann.com\/2013\/05\/24\/improving-security-of-ssh-private-keys.html\"><p>I don&rsquo;t know why <code>ssh-keygen<\/code> still generates keys in SSH&rsquo;s traditional format, even though a better format has been available for years. Compatibility with servers is not a concern, because the private key never leaves your machine. Fortunately it&rsquo;s easy enough to <a href=\"http:\/\/www.openssl.org\/docs\/apps\/pkcs8.html\">convert to PKCS#8<\/a>:<\/p>\n<pre>$ mv test_rsa_key test_rsa_key.old\n$ openssl pkcs8 -topk8 -v2 des3 \\\n    -in test_rsa_key.old -passin 'pass:super secret passphrase' \\\n    -out test_rsa_key -passout 'pass:super secret passphrase'<\/pre>\n<p>If you try using this new PKCS#8 file with a SSH client, you should find that it works exactly the same as the file generated by <code>ssh-keygen<\/code>.<\/p>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Martin Kleppmann (via Mark Jason Dominus): I don&rsquo;t know why ssh-keygen still generates keys in SSH&rsquo;s traditional format, even though a better format has been available for years. Compatibility with servers is not a concern, because the private key never leaves your machine. Fortunately it&rsquo;s easy enough to convert to PKCS#8: $ mv test_rsa_key test_rsa_key.old [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"","apple_news_api_id":"","apple_news_api_modified_at":"","apple_news_api_revision":"","apple_news_api_share_url":"","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[30,48,506],"class_list":["post-7624","post","type-post","status-publish","format-standard","hentry","category-technology","tag-mac","tag-security","tag-ssh"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/7624","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=7624"}],"version-history":[{"count":0,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/7624\/revisions"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=7624"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=7624"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=7624"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}