How to Check if a PEM Private Key File is Password-Protected Using ssh-keygen


1 views

When working with SSH keys in PEM format, determining whether a private key is password-protected is crucial for automation and security purposes. The ssh-keygen tool provides a straightforward way to verify this.

Here's the most effective way to check password protection status:

ssh-keygen -y -f myfile-privkey.pem

This command attempts to extract the public key from the private key file. The behavior differs based on encryption status:

Unprotected Key Scenario:

$ ssh-keygen -y -f unencrypted.pem
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ... (public key output)

Protected Key Scenario:

$ ssh-keygen -y -f encrypted.pem
Enter passphrase for encrypted.pem:

For more detailed inspection, you can use:

openssl rsa -in myfile-privkey.pem -check -noout

Or for RSA keys specifically:

openssl rsa -in myfile-privkey.pem -text -noout

For scripting purposes, you can use this bash snippet:

if ssh-keygen -y -f "myfile-privkey.pem" &>/dev/null; then
    echo "Key is NOT password protected"
else
    echo "Key IS password protected"
fi

PEM format private keys contain specific headers indicating encryption:

-----BEGIN ENCRYPTED PRIVATE KEY-----

versus unencrypted:

-----BEGIN PRIVATE KEY-----

When working with SSH keys in the PEM format, it's crucial to know whether your private key is password-protected. The ssh-keygen utility provides native methods to verify this without requiring the password itself.

Run this command against your PEM file:


ssh-keygen -y -f myfile-privkey.pem

If the key is protected, you'll immediately get a password prompt:


Enter passphrase for myfile-privkey.pem:

For more detailed information:


ssh-keygen -v -f myfile-privkey.pem

This will output either:


Key is unencrypted

or


Key is encrypted (DES-EDE3-CBC)

Here's what a successful check looks like for an encrypted key:


$ ssh-keygen -y -f encrypted_key.pem
Enter passphrase for encrypted_key.pem:

For an unencrypted key:


$ ssh-keygen -y -f unencrypted_key.pem
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD... [public key output]

When scripting SSH operations, knowing whether a key requires a passphrase is essential for:

  • CI/CD pipeline configurations
  • Automated server deployments
  • SSH agent forwarding setups

If you encounter:


Load key "myfile-privkey.pem": invalid format

This indicates either a corrupted key file or incorrect format - not necessarily encryption.

For multiple keys, use this bash snippet:


for key in *.pem; do
    echo -n "$key: "
    ssh-keygen -y -f "$key" &>/dev/null && echo "Unencrypted" || echo "Encrypted"
done