2

I have a private key in DER format. I am trying to convert it to PEM and simultaneously encrypt the private key with a passphrase.

Here is the openssl command that I am using to convert and encrypt:

> openssl rsa -aes256 -inform der -in temp_key.der -outform pem -passout pass:<password>

I am trying to implement a similar logic in Python where I have the data for the key in-memory in DER format. I want to change it to PEM, encrypt it and then store to a file.

I am not very well versed with Python's Crypto libraries and I am having a hard time to figure out the right way to convert and encrypt my key data.

Improve this question

3 Answers 3

Reset to default
6

You can load a DER key and dump it as a password protected PEM key with help of cryptography module as follows:

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization

private_key = serialization.load_der_private_key(
    der_data, # assuming that "der_data" variable contains your DER key
    password=None,
    backend=default_backend()
)

pem_encrypted = private_key.private_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PrivateFormat.PKCS8,
    encryption_algorithm=serialization.BestAvailableEncryption(b'mypassword')
)

print(pem_encrypted.decode()) # -----BEGIN ENCRYPTED PRIVATE KEY-----...
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks for the response. I reached at the same code. Check out my implementation in the answer below.
2

Both other answers will work for you. Purely for variety, I shall add mine. For RSA, I personally prefer to use PyCryptodome, for the reason it has more features in when it comes to the RSA cipher, and it's RSA instance is programmed in pure python.

This code should work for you:

from Crypto.PublicKey import RSA

key = RSA.import(open('key.der', 'rb').read())

with open('key.pem', 'wb') as f:

    pem_key = key.export_key(passphrase='password')

    f.write(pem_key)
    f.close()

If you wanted, you could specify the output format of the exported key, but PyCryptodome currently defaults to PEM.

You can find thorough documentation for both libraries at https://cryptography.io and https://pycryptodome.readthedocs.io respectively.

Improve this answer

1 Comment

I think in the second code line you wanted to write RSA.import_key
1

Used the cryptography module for python This is the implementation I reached at

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives.serialization import load_der_private_key
from cryptography.hazmat.primitives import serialization


key = load_der_private_key(
            der_data, password=None, backend=default_backend())

password_protected_key = key.private_bytes(encoding=serialization.Encoding.PEM,
                                        format=serialization.PrivateFormat.TraditionalOpenSSL,
                                        encryption_algorithm=serialization.BestAvailableEncryption("password"))
Improve this answer

1 Comment

If this answer works, add it as the selected answer.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.