Re: ecparam keygen writes new key in the clear?

On Tue, Mar 11, 2008 at 12:19:13AM -0700, Larry Bugbee wrote:
[color=blue]
> It seems if you use 'openssl ecparam -genkey' to create a key pair,
> you cannot secure the PEM file output. You have to follow with a
> second command 'openssl ec' to encrypt the private key with
> AES. ...but the first command has already written the key to disk.
>[/color]

Use a pipe.

$ umask 077
$ openssl ecparam -name prime256v1 -genkey |
openssl ec -aes128 -out EC-newkey.pem
$ cat EC-newkey.pem
-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,E71185443CBA7133BC05C2E5417BB345

B8AkGgEA8cmSCx6QSMpoRdDUbxndVjvbXMTwo1m8k4N0aH+VqMG6MiDy4Si0TNKg
fOeWwq2HPsuv8Yw1nQq/BpLRBPpj7bLB7l95snlHsU/H8UzqjRV5Re09esGTwX6L
M8PPm/qYhQFOwhchwF5YGN0BDKqTGfR7kNWyr+VXDW0=
-----END EC PRIVATE KEY-----

The pass-phrase is "foobar" if you want to look at this throw-away key.

--
Viktor.
______________________________________________________________________
OpenSSL Project [url]http://www.openssl.org[/url]
User Support Mailing List [email]openssl-users@openssl.org[/email]
Automated List Manager [email]majordomo@openssl.org[/email]