How do I change my private key passphrase?

Question

I have an existing public/private key pair. The private key is password protected, and the encryption may be either RSA or DSA. These keys are the kind you generate with ssh-keygen and generally store under ~/.ssh.

I'd like to change the private key's password. How do I go about it, on a standard Unix shell?

Also, how do I simply remove the password? Just change it to empty?

score 589 · Accepted Answer · edited Jul 25 '24 at 17:03

To change the passphrase on your default key:

$ ssh-keygen -p

If you need to specify a key, pass the -f option:

$ ssh-keygen -p -f ~/.ssh/id_rsa

then provide your old and new passphrase (twice) at the prompts. (Use ~/.ssh/id_rsa if you have an RSA key.)

More details from man ssh-keygen:

[...]
SYNOPSIS
   ssh-keygen  [-q]  [-a  rounds]  [-b  bits] [-C comment] [-f output_keyfile] [-m format] [-N new_passphrase] [-O option]
              [-t ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa] [-w provider] [-Z cipher]
   ssh-keygen -p [-a rounds] [-f keyfile] [-m format] [-N new_passphrase] [-P old_passphrase] [-Z cipher]
[...]
     -f filename
             Specifies the filename of the key file.
[...]
     -N new_passphrase
             Provides the new passphrase.
 -P passphrase
         Provides the (old) passphrase.

 -p      Requests changing the passphrase of a private key file instead of
         creating a new private key.  The program will prompt for the file
         containing the private key, for the old passphrase, and twice for
         the new passphrase.

[...]

score 5 · Answer 2 · answered Nov 19 '20 at 14:54

5

If you don't have ssh-keygen installed, you can also use openssl directly

key="/path/to/your.key"
algo="-des3" # or -aes256 or ...
openssl rsa $algo -in "$key" -out "$key.new"
and replace old key with new one
mv "$key.new" "$key"

answered Nov 19 '20 at 14:54

mivk

4,924

score -17 · Answer 3 · edited Feb 20 '18 at 16:38

Remove your SSH public/private keys:

rm ~/.ssh/id_rsa*

Recreate the keypair, choosing a new passphrase:

ssh-keygen -t rsa -f ~/.ssh/id_rsa

Add the newly created private key to your OS X Keychain to store the passphrase and manage unlocking it automatically:

ssh-add -K ~/.ssh/id_rsa

Copy the public key to the OS X clipboard for adding to web services like GitHub, etc.

cat ~/.ssh/id_rsa.pub | pbcopy

Add your newly created public key to the ~/.ssh/authorized_keys file of the remote server. Be sure to ensure the correct permissions of both the remote ~/.ssh folder (700) and ~/.ssh/authorized_keys (600). You may want to investigate using ssh-copy-id to ease this process.

How do I change my private key passphrase?

3 Answers3

and replace old key with new one

Linked