How to Change or Remove SSH Private Key Passphrase Using ssh-keygen


4 views

When working with SSH authentication, your private key may be protected by a passphrase. This adds an extra layer of security, but there are times when you might need to:

  • Update an existing passphrase
  • Remove passphrase protection entirely

The ssh-keygen utility provides a straightforward way to modify passphrases:

# Change passphrase for existing key
ssh-keygen -p -f ~/.ssh/id_rsa

# Alternative syntax (identical functionality)
ssh-keygen -f ~/.ssh/id_rsa -p

The command will prompt you for:

  1. Current passphrase (leave empty if none exists)
  2. New passphrase (enter twice for confirmation)

To completely remove the passphrase (not recommended for production environments):

ssh-keygen -p -f ~/.ssh/id_rsa -N ''

Or interactively:

ssh-keygen -p -f ~/.ssh/id_rsa
# When prompted for new passphrase, press Enter twice

Here are some common scenarios with solutions:

# 1. Changing passphrase for default RSA key
ssh-keygen -p -f ~/.ssh/id_rsa

# 2. Changing passphrase for DSA key
ssh-keygen -p -f ~/.ssh/id_dsa

# 3. Batch processing multiple keys
for key in ~/.ssh/id_*; do
  [ -f "$key" ] && ssh-keygen -p -f "$key"
done

Before removing or changing passphrases:

  • Understand the security implications of passwordless keys
  • Consider using ssh-agent for temporary passphrase caching
  • Never share or transfer unprotected private keys

If you encounter problems:

# Verify key permissions (should be 600)
chmod 600 ~/.ssh/id_rsa

# Check if the key is actually encrypted
ssh-keygen -y -f ~/.ssh/id_rsa

Remember that you can't recover a lost passphrase - you'll need to generate a new keypair if you've forgotten it.

When working with SSH keys, you might need to modify the passphrase of an existing private key. This typically occurs when:

  • Security policies require periodic passphrase rotation
  • You want to remove passphrase protection for automated processes
  • The original passphrase is forgotten or compromised

The standard Unix ssh-keygen tool provides a straightforward way to modify passphrases:

# Basic syntax for passphrase change
ssh-keygen -p -f ~/.ssh/id_rsa

This command will:

  1. Prompt for the current passphrase (if set)
  2. Ask for a new passphrase (twice for confirmation)
  3. Rewrite the private key file with the new encryption

Here's a detailed example for changing a passphrase:

$ ssh-keygen -p -f ~/.ssh/id_rsa
Enter old passphrase: [current_passphrase]
Enter new passphrase (empty for no passphrase): [new_passphrase]
Enter same passphrase again: [new_passphrase]
Your identification has been saved with the new passphrase.

To completely remove passphrase protection (not recommended for security reasons):

$ ssh-keygen -p -f ~/.ssh/id_rsa
Enter old passphrase: [current_passphrase]
Enter new passphrase (empty for no passphrase): [PRESS ENTER]
Enter same passphrase again: [PRESS ENTER]
Your identification has been saved with the new passphrase.
  • Never store unprotected private keys on shared systems
  • Use ssh-agent for managing keys with passphrases in development
  • Consider key rotation if you suspect passphrase compromise

For more control over the encryption algorithm:

# Decrypt then re-encrypt the key
openssl rsa -in id_rsa -out id_rsa.new
# Then set permissions and replace original
chmod 600 id_rsa.new
mv id_rsa.new id_rsa

If you encounter "invalid format" errors:

# Convert legacy PEM format if needed
ssh-keygen -p -f ~/.ssh/id_rsa -m PEM