# How to encrypt/decrypt a private key

## Encrypt a private key on MacOS or Linux

#### **1. Check if Your Key Is Already Encrypted**

Private keys are usually stored in `~/.ssh/`. To check:

```bash
cat ~/.ssh/id_rsa
```

* If you see `ENCRYPTED` in the header (like `-----BEGIN OPENSSH PRIVATE KEY-----` with `ENCRYPTED` noted), then it’s already passphrase-protected.
* If not, you can encrypt it.

***

#### **2. Encrypt or Change the Passphrase**

```bash
ssh-keygen -p -f ~/.ssh/id_rsa
```

* `-p` → prompts you to change the passphrase.
* `-f` → specifies the key file.

You’ll be asked for:

1. The old passphrase (press **Enter** if none exists).
2. A new passphrase (twice, for confirmation).

This adds strong encryption to your private key file.

***

Now your private key is safely encrypted with a passphrase.

## Decrypt a private key in MacOS or Linux

Decrypting a RSA private key can be done using a single command

```bash
ssh-keygen -p -f ~/.ssh/id_rsa -N ""
```

You will be prompted for the current passphrase. Do not pass the old passphrase on the command line (it would be visible in process lists).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.couchdrop.io/walkthroughs/sftp-recipes/using-sftp-ssh-keys/how-to-encrypt-decrypt-a-private-key.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.