298

I generated an OpenSSH private key using PuTTYgen (and exported it in OpenSSH format).

How can I put a password on this existing key (I know how to generate a new key with a password)?

Improve this question
3

4 Answers 4

Reset to default
496

Try the following command:

ssh-keygen -p -f keyfile

From the ssh-keygen man page

 -p      Requests changing the passphrase of a private key file instead of
         creating a new private key.  The program will prompt for the file
         containing the private key, for the old passphrase, and twice for
         the new passphrase.

 -f filename
         Specifies the filename of the key file.

Example:

ssh-keygen -p -f ~/.ssh/id_rsa
Improve this answer
5
  • 10
    For those wanting to know what -f is: It specifies the input file.
    – Neikos
    Commented Dec 11, 2015 at 10:49
  • 4
    // , @sigjuice, would you please post an example, like $ ssh-keygen -p -f /Users/sigjuice/.ssh/id_rsa? This might help people who don't know how to tell the difference between a public and a private key, and help them get their feet wet faster.
    – Nathan Basanese
    Commented Jul 6, 2016 at 18:48
  • For some reason, on MacOS 10.14, this does not format the file with the Proc-Type: 4,ENCRYPTED header, which is incompatible with some applications checking for a passphrase. After trying several ways to get it to work, the easiest way to workaround it was just do this same thing inside a Docker container running Ubuntu and then copying the key back to my Mac.
    – ryanbrainard
    Commented Jan 18, 2019 at 3:44
  • 2
    I can still read my ssh private keys in clear text without entering any password, so I guess the above command is not enough!? (I don't want hackers to be able to read my private keys without knowing an extra password)
    – mcExchange
    Commented May 31, 2021 at 13:40
  • @mcExchange : if you did it correctly: the file should now have, under the "-----BEGIN RSA PRIVATE KEY-----" line, 2 lines indicating: the passphrase type, and the (encrypted) passphrase, then a blank line, and then the (ENCRYPTED) private key. The latest is unusable unless someone successfully decrypted it by knowing the passphrase. ie, 1) you need to enter the passphrase when asked, and only then can 2) the private key be used. (with NO passphrase (ex: you entered twice Return when prompted), there is only the UNENCRYPTED private key (without the first 3 lines), and it IS usable directly)
    – Olivier Dulac
    Commented Mar 17, 2022 at 10:16
46

Use the -p option to ssh-keygen. This allows you to change the password rather than generate a new key.

Change the password as sigjuice shows:

ssh-keygen -p -f ~/.ssh/id_rsa

The required password will be the new password. (This assumes you have added the public key ~/.ssh/id_rsa.pub to your authorized_keys files.) Test with ssh:

ssh -i ~/.ssh/id_rsa localhost

You can have multiple keys with different names for different uses.

Improve this answer
5
  • // , Would you please show an example, and how to check that the option has worked, @BillThor?
    – Nathan Basanese
    Commented Jul 6, 2016 at 18:49
  • I do not understand. The passphrase is set, I see when I try to change it again. But when I try to login to remote server it doesn't ask for this passphrase password, why?
    – Luka
    Commented May 7, 2018 at 16:51
  • 2
    It's fine. It asks once per session :) Didn't know that.
    – Luka
    Commented May 7, 2018 at 17:02
  • Does this mean you have to log out and in again? Closing the terminal window and re-opening it does not work for me.
    – Simon Hessner
    Commented Jun 6, 2018 at 21:50
  • 1
    You can type ssh-add -D to remove your cached identity. Then, try connecting again and it will ask you for your password. Use ssh-add -l to see a list of your cached identities.
    – Scott Nedderman
    Commented Mar 26, 2019 at 20:12
11

You can also use openssl:

openssl rsa -aes256 -in ~/.ssh/your_key -out ~/.ssh/your_key.enc
mv ~/.ssh/your_key.enc ~/.ssh/your_key
chmod 600 ~/.ssh/your_key

see: https://security.stackexchange.com/a/59164/194668

Improve this answer
3
  • 1
    I think I'll take the ssh-keygen way ;)
    – Michel
    Commented Jan 6, 2020 at 22:03
  • 1
    Thanks for providing an openssl alternative to do the task.
    – Nadjib Mami
    Commented May 13, 2020 at 10:33
  • I'd prefer openssl. ssh-keygen did some weird stuff with the encoding which made the key unusable
    – Monish Sen
    Commented May 24, 2023 at 8:24
-1

Because you've mentioned "PuTTYgen" and maybe you're using Windows 😉, I'll direct you to the documentation for "PuTTYgen".

Go here [https://the.earth.li/~sgtatham/putty/0.76/htmldoc/Chapter8.html#puttygen-conversions] for "importing" and "exporting" a SSH private key. These are different to using "Load" and "Save" as those options are for loading and saving a Putty specific key file.

And here [https://the.earth.li/~sgtatham/putty/0.76/htmldoc/Chapter8.html#puttygen-passphrase] for changing the passphrase. Same thing you'd do when creating a passphrase for a new private key.

So steps are "import" the SSH key, you don't get asked for a passphrase because you didn't create one. Then change (set) the passphrase and confirm. Then "export" back out to the original private key file.

Hope that helps anyone else wanting to use "PuTTYgen" instead of "ssh-keygen".

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.