Couchdrop HomepageDevelopersLogin

How to encrypt/decrypt a private key

Private keys can be encrypted with a password for additional security. Learn how to encrypt and decrypt a private key.

Encrypt a private key on MacOS or Linux

1. Check if Your Key Is Already Encrypted

Private keys are usually stored in ~/.ssh/. To check:

cat ~/.ssh/id_rsa

  • If you see ENCRYPTED in the header (like -----BEGIN OPENSSH PRIVATE KEY----- with ENCRYPTED noted), then it’s already passphrase-protected.

  • If not, you can encrypt it.

2. Encrypt or Change the Passphrase

ssh-keygen -p -f ~/.ssh/id_rsa

  • -p → prompts you to change the passphrase.

  • -f → specifies the key file.

You’ll be asked for:

  1. The old passphrase (press Enter if none exists).

  2. A new passphrase (twice, for confirmation).

This adds strong encryption to your private key file.

Now your private key is safely encrypted with a passphrase.

Decrypt a private key in MacOS or Linux

Decrypting a RSA private key can be done using a single command

ssh-keygen -p -f ~/.ssh/id_rsa -N ""

You will be prompted for the current passphrase. Do not pass the old passphrase on the command line (it would be visible in process lists).

PreviousHow to convert a PPK key to RSANextFAQs

Last updated

Was this helpful?