How do I know if *.pem is password protected using ssh-keygen?

I have got a file myfile-privkey.pem.

How do I check if the private key file is password protected using ssh-keygen?


ssh-keygen -y -f myfile-privkey.pem

If the key is password protected, you will see a "password:" prompt.

The flags in this command are:

-y Read private key file and print public key.
-f Filename of the key file.

As extra guidance, always check the command someone, especially online, is telling you to use when dealing with your private keys.


It is pretty easy to see if an SSH key has been encrypted. Simply look for the Proc-Type: 4,ENCRYPTED in the body. Here are a few example keys in various forms.

RSA with password

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,AF51A101888567A12C6E384AFBD2B963

AAp6xVAtPP/qmr8T1WjAac8jjfQmToW8Hd4ik95zA/fkH2SJgy7hwuyl1AuVyQuq

RSA without password

-----BEGIN RSA PRIVATE KEY-----
MIIJJwIBAAKCAgEAwwXQEPzdutisd8Wl/TSNrp4HVnY7R87at30OiN46GcPPcV6q

DSA with password

-----BEGIN DSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2B9F1E1503F57CCC663397AB03CBF3F9

MVJ+F/AoJKW/XGtx0N2yrmLfJc276XIZzGYHRuCHmxUXlRkWpmi9gSUO8bNWgymf

DSA without password

-----BEGIN DSA PRIVATE KEY-----
MIIBuwIBAAKBgQD1qn6U7ve6yqHTu1XuiOyF/9A+n3MJFXNrTt9jHg7Pn5zssqwO

ECDSA with password

-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,5A3BB12B9B9E17A9A569001A0498969D

LrGoz5tXNI4KMxx7zb1H6beJZ8kEwc2FLLglD0kNzilTLeNMooC1NoMNhRD9XCo6

ECDSA without password

-----BEGIN EC PRIVATE KEY-----
MHcCAQEEILU3EwLQa2rSZdIMkbiE5VDrjlcoeJEF5IsYfGy0Hz4JoAoGCCqGSM49
AwEHoUQDQgAEHJCNvU9hVeByhp9CpSmvHphb82iSp52pL0ZJqVvqFY/swXPB1NMU

If the following command asks for the key then it is password protected.

openssl rsa -in myfile-privkey.pem -noout

If is not protected, you can setup the password:

ssh-keygen -p -P "" -N "strong-password" -f unprotected.pem