When I exported my private key in PuttyGen, I assumed that the passphrase I set was also used on the openSSH version. I'm finding that the passphrase I put in isn't working. What's the right way to export my private key in openSSH format with a passphrase?
To transfer the exported ssh key to linux, I just pasted it into nano, and tried to ssh-add it. It prompts me for a passphrase, but doesn't accept the one I gave it. PuttyGen imports it fine with that passphrase tho..
The Windows PuTTYgen's "Export OpenSSH key" does encrypt the key with 3DES-CBC. If the passphrase is non-empty, the output file says so:
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,157A04D5AE43F45B NiGUXnTOhATzg4dGvyXs8rzetF7KpplJJIKrZvQunXuVcZhVS+NTpnTgwJb+zOCm ...
I've tested this on various versions over the past 4 years. If the passphrase is empty, I even get an "Are you sure?" prompt.
The Linux puttygen also always uses the same passphrase when converting.
For RSA & DSA keys, OpenSSH uses the same 'raw' key format as OpenSSL. So if 3DES-CBC is not sufficient, you can use the openssl command-line tool to reencrypt them:
openssl rsa -aes-128-cbc < old.key > new.key
On Unix of course OpenSSH's own ssh-keygen is better:
ssh-keygen -p -f old.key
