# ETOOBUSY ðŸš€ minimal blogging for the impatient

# Encrypt, the hard way - a caveat

**TL;DR**

One thing to look out for when using Encrypt, the hard way.

In post Encrypt, the hard way we saw that itâ€™s possible to use OpenSSH RSA keys from OpenSSL to implement a working encryption and decryption chain. Might be fun.

Itâ€™s anyway possible to hit the following error while decrypting via the asymmetric algorithm:

```
# Get the symmetric encryption key back first, using the private
# SSH RSA key
$ openssl rsautl -decrypt -oaep -inkey ~/.ssh/id_rsa \
-in random-key-stuff.enc -out random-key-stuff.dec
... yadda yadda yadda...:Expecting: ANY PRIVATE KEY
```

Well, `~/.ssh/id_rsa`

**is** a RSA PRIVATE KEY:

```
-----BEGIN OPENSSH PRIVATE KEY-----
...
```

What gives?

It turns out that the format with which the key was saved is not useable by OpenSSL (well, my version of OpenSSL at least) and I have to save it in a slightly different format to make it acceptable.

So thanks to this answer:

```
# let's work in the SSH directory for my user
$ cd ~/.ssh
# let's also remain on the safe side, just in case...
$ cp id_rsa id_rsa.save
# we're passphrase-protecting our keys, right? RIGHT?!?
$ ssh-keygen -p -f id_rsa -m PEM
```

At this point weâ€™re asked for the old passphrase (to decrypt the current
contents of `id_rsa`

into a useable private key) and a new passphrase
twice, to re-encrypt the private key with it. We end up with a file that
*starts differently*:

```
$ head id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-...
...
```

Now *this* key can make my OpenSSL happy and willing to work
properlyâ€¦ thanks!

Stay safe everyone!

*Comments? Octodon, Twitter, GitHub, Reddit, or drop me a line!*