How to Change/Remove Passphrase from PuttyGen .ppk Private Key in Windows


2 views

When working with PuTTY-generated SSH keys in Windows (.ppk files), you might encounter two common scenarios when trying to modify passphrases:

  • The puttygen -P command fails with "unable to open file"
  • ssh-keygen rejects valid passphrases with "Bad passphrase" errors

The correct approach involves using PuTTYgen's GUI interface rather than command line:

1. Launch puttygen.exe
2. Click "Load" and select your .ppk file
3. Enter the existing passphrase (leave empty if none)
4. Click "Key" → "Change passphrase"
5. Enter new passphrase (or leave both fields empty to remove)
6. Click "Save private key" to overwrite the file

For automation scenarios, consider these approaches:

Using plink with echo (Windows CMD)

echo y | puttygen key.ppk -o newkey.ppk -P

Batch Conversion to OpenSSH Format

puttygen key.ppk -O private-openssh -o id_rsa
ssh-keygen -p -f id_rsa
puttygen id_rsa -o newkey.ppk

"Unable to open file" Resolution

This typically occurs when:

  • File path contains spaces (use quotes: puttygen "C:\\path with spaces\\key.ppk" -P)
  • Incorrect file permissions (run as Administrator)
  • Corrupted PPK header (validate file structure)

Passphrase Validation Issues

When ssh-keygen rejects valid passphrases:

# First convert to OpenSSH format
puttygen key.ppk -O private-openssh -o temp_key

# Then change passphrase
ssh-keygen -p -f temp_key

# Convert back if needed
puttygen temp_key -o newkey.ppk

For bulk operations, use this PowerShell script:

$keys = Get-ChildItem -Path "C:\ssh\*.ppk"
foreach ($key in $keys) {
    Start-Process puttygen.exe -ArgumentList """$($key.FullName)"" -o ""$($key.DirectoryName)\new_$($key.Name)"" -P" -Wait
}

Note: Always test with key backups before batch operations.

  • Never store passphrase-less keys on production systems
  • Use 7z or similar to encrypt key files when archiving
  • Rotate keys after passphrase changes as an extra precaution

If you've generated an SSH key using PuTTYgen on Windows, you might encounter issues when trying to modify its passphrase. The default .ppk format is specific to PuTTY, and standard OpenSSH tools like ssh-keygen may not handle it correctly.

The command puttygen.exe -P key.ppk often fails with:

PuTTYgen Error: Couldn't load private key (unable to open file)

This typically occurs because:

  • The file path is incorrect or inaccessible
  • The key is already encrypted with a passphrase (the -P flag expects an unencrypted key)
  • File permissions prevent PuTTYgen from reading the key

Here's the proper workflow:

puttygen.exe key.ppk -o newkey.ppk -P

This will:

  1. Load your existing key
  2. Prompt for the current passphrase (if any)
  3. Prompt for a new passphrase (leave blank to remove)
  4. Save as a new file (recommended for safety)

If you need compatibility with other tools:

puttygen.exe key.ppk -O private-openssh -o openssh_key

Then change passphrase with:

ssh-keygen -p -f openssh_key

Error: "Bad passphrase"
This usually means:

  • You're entering the wrong passphrase (try it in Pageant first to verify)
  • The key file is corrupted (try regenerating from your original)
  • Line endings were modified (ensure CRLF for Windows)

Permission Problems
Run PuTTYgen as Administrator if you see access errors, especially when saving to protected directories.

For automation, you can use this PowerShell script:

$keys = Get-ChildItem *.ppk
foreach ($key in $keys) {
    & "puttygen.exe" $key.FullName -o ("new_" + $key.Name) -P
}