On Tue, Mar 11, 2008 at 12:19:13AM -0700, Larry Bugbee wrote:

> It seems if you use 'openssl ecparam -genkey' to create a key pair,
> you cannot secure the PEM file output. You have to follow with a
> second command 'openssl ec' to encrypt the private key with
> AES. ...but the first command has already written the key to disk.
>


Use a pipe.

$ umask 077
$ openssl ecparam -name prime256v1 -genkey |
openssl ec -aes128 -out EC-newkey.pem
$ cat EC-newkey.pem
-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,E71185443CBA7133BC05C2E5417BB345

B8AkGgEA8cmSCx6QSMpoRdDUbxndVjvbXMTwo1m8k4N0aH+VqM G6MiDy4Si0TNKg
fOeWwq2HPsuv8Yw1nQq/BpLRBPpj7bLB7l95snlHsU/H8UzqjRV5Re09esGTwX6L
M8PPm/qYhQFOwhchwF5YGN0BDKqTGfR7kNWyr+VXDW0=
-----END EC PRIVATE KEY-----

The pass-phrase is "foobar" if you want to look at this throw-away key.

--
Viktor.
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org