How to encrypt/decrypt a private key

Encrypt a private key on MacOS or Linux

1. Check if Your Key Is Already Encrypted

Private keys are usually stored in ~/.ssh/. To check:

cat ~/.ssh/id_rsa

• If you see ENCRYPTED in the header (like -----BEGIN OPENSSH PRIVATE KEY----- with ENCRYPTED noted), then it’s already passphrase-protected.

• If not, you can encrypt it.

2. Encrypt or Change the Passphrase

ssh-keygen -p -f ~/.ssh/id_rsa

• -p → prompts you to change the passphrase.

• -f → specifies the key file.

You’ll be asked for:

1. The old passphrase (press Enter if none exists).

2. A new passphrase (twice, for confirmation).

This adds strong encryption to your private key file.

Now your private key is safely encrypted with a passphrase.

Decrypt a private key in MacOS or Linux

Decrypting a RSA private key can be done using a single command

You will be prompted for the current passphrase. Do not pass the old passphrase on the command line (it would be visible in process lists).