Linux – How to change encryption algorithm for private key file using OpenSSH 5.3


Using ssh-keygen, I need to generate a SSH private key file where the encryption algorithm used when using a passphrase is AES-128 with CBC mode.

I know this is the default for OpenSSH >= 5.4 as per the release notes where they mention:

Passphrase-protected SSH protocol 2 private keys are now protected
with AES-128 instead of 3DES. This applied to newly-generated keys
as well as keys that are reencrypted (e.g. by changing their

However, my requirement is to use this encryption algorithm with OpenSSH 5.3p1 (I cannot change the OpenSSH version).

How can I change the encryption algorithm to AES-128 without upgrading to OpenSSH 5.4 or newer?

Best Answer

ssh-keygen has no options to specify the passphrase encryption, so you cannot simply make the old ssh-keygen behave like the new version by changing a configuration file or giving an option to it, but you can use OpenSSL to generate or convert the keys.


Assuming your key is RSA

openssl rsa -aes128 -in <3des_protected> -out <aes128_protected>

will convert 3des_protected key in an AES128 one. It will ask for a passphrase three times: once for reading the old key, twice to set the new one.


First create the private part

openssl genrsa -aes128 -out <newkey>

then change its permission so that ssh doesn't complain with chmod 600 <newkey>

The public key is then derived from the private one by issuing

ssh-keygen -e -f newkey >