[openssl-users] Unable to generate privatekey with 128bit salt

Michael Wojcik Michael.Wojcik at microfocus.com
Fri Oct 13 17:04:29 UTC 2017

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of kishore
> Sent: Friday, October 13, 2017 07:05

>./openssl genrsa -out aes256sha12048.key -aes256 2048  -S E1F53135E559C253

Using what version of OpenSSL? Running on what platform? Please include basic, essential information in your question. Don't make us guess.

> but when try to load the key using BouncyCastle code, it throws 

> "Error salt must be at least 128 bits"

The version of the openssl utility (1.0.2j) I'm running doesn't list a -S parameter in its help output, and I don't see one in genrsa.c, but there is one in enc.c, so maybe the genrsa command supports it. Though when I tried your command line, the key I got was encrypted with a salt (IV, really) that didn't appear to be related in any way to the value given with -S.

In any case, though, the value you're passing for -S is only 64 bits. 64 is less than 128.

Have you tried omitting the -S option? You should get a key encrypted with an IV of the appropriate length (128 bits) for AES-CBC-256.

What does the PEM header - particularly the DEK-Info line - in the generated key file say?

Michael Wojcik 
Distinguished Engineer, Micro Focus 

More information about the openssl-users mailing list