On Tue, Mar 11, 2008 at 12:19:13AM -0700, Larry Bugbee wrote:

> It seems if you use 'openssl ecparam -genkey' to create a key pair,  
> you cannot secure the PEM file output.  You have to follow with a  
> second command 'openssl ec' to encrypt the private key with  
> AES.  ...but the first command has already written the key to disk.
> 

Use a pipe.

    $ umask 077
    $ openssl ecparam -name prime256v1 -genkey |
        openssl ec -aes128 -out EC-newkey.pem
    $ cat EC-newkey.pem
    -----BEGIN EC PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: AES-128-CBC,E71185443CBA7133BC05C2E5417BB345

    B8AkGgEA8cmSCx6QSMpoRdDUbxndVjvbXMTwo1m8k4N0aH+VqMG6MiDy4Si0TNKg
    fOeWwq2HPsuv8Yw1nQq/BpLRBPpj7bLB7l95snlHsU/H8UzqjRV5Re09esGTwX6L
    M8PPm/qYhQFOwhchwF5YGN0BDKqTGfR7kNWyr+VXDW0=
    -----END EC PRIVATE KEY-----

The pass-phrase is "foobar" if you want to look at this throw-away key.

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to