Goal of this article is to describe the process behind changing the passphrase used to generate ssh key pair (private and public) due to security policies or other scenarios where…

Goal of this article is to describe the process behind changing the passphrase used to generate ssh key pair (private and public) due to security policies or other scenarios where passphrase tends to be a liability in strictly security sense of the word.

When ssh key is generated and passphrase selected, as a part of ssh key generating process, private key is being encrypted (at the time of writing this post default encryption algorithm is AES128) and header is being added to the top of the file content. Generating this key would look like:

Password used in this process was thisistestpassword. Let us look into the content of newly generated private key:

In the header of this file you can find Proc-Type information and DEK-INFO which is needed for this key to be decrypted. It shows encryption algorithm used (in this case AES128), in which chaining mode (in this case it was CBC) and first/initializing vector for chaining mode (0C889803ACE1A2875533D8056A40AD19).

When connecting to desired server via ssh you would simply call ssh user@server -i /path/to/private_key and then put in the passphrase used while generating the key pair (in my case it was “thisistestpassword”) and if remote connections are allowed AND key file permissions are properly set (note that for security reasons you would need to set the permissions on key file(s) to 400 or r– — —) you would connect to it.

Pretty simple? Ok, so this is all perfect until the point where you end up not logging onto this server for some time and passphrase used has gone away and got forgotten. Then you could either generate a new key and ask system administrators to replace your key with new one, which can be a long process through approval chain or you could simply change the encryption passphrase. Step by step process would go something like:

Password for decryption was the old one “thisistestpassword”. Decrypted key would look like this:

Now to encrypt it with new password “thisisnewpassphrase” we would do something like:

And newly encrypted private key now looks like:

Needless to say “thisisnewpassphrase” would be new passphrase ot be used when connecting to same server from this point on. I have taken the longer way to change the password so I can explain some of the steps but, (don’t kill me now lol) we could have done this much faster:

In above steps I’ve been asked to provide original passphrase (thisistestpassword) and then the new one (thisisnewpassphrase) which resulted in creation of new key pair where private key is encrypted with new passphrase.