[openssl-users] Password protect EC private key

Viktor Dukhovni openssl-users at dukhovni.org
Thu Aug 10 18:27:47 UTC 2017

On Thu, Aug 10, 2017 at 12:03:31PM -0400, Robert Moskowitz wrote:

> openssl ecparam -name secp256k1 -genkey -noout -out private/ca.key.pem
> But openssl ecparam does not have any option equivalent (that I can find) to -aes256

Yes, this command does not currently support key encryption.

> What am I missing.

The command that does is:

   $  openssl genpkey -aes256 -algorithm ec \
	-pkeyopt ec_paramgen_curve:secp256k1 \
	-pkeyopt ec_param_enc:named_curve \
	-out private/ca.key.pem

Are you sure you want secp256k1?  By far the more common choice is
prime256r1 (aka P-256 or secp256r1).

> openssl ecparam -in private/ca.key.pem -text -noout

EC keys are read with "openssl ec" not "openssl ecparam".


More information about the openssl-users mailing list