5

I use openssl to generate private keys and CSRs in a script. The script needs to generate the key first, then call chmod 400 whatever.key to change the permissions of the private key to something more secure.

Is there any way to eliminate the second step and have openssl create the file with appropriate permissions from the start? It would seem cleaner to me to not have the private key readable by other processes, even for a millisecond.

Can you use umask in a script to do something like this or is there another way?

thomasrutter
  • 2,527
  • 1
  • 25
  • 34
  • 2
    Looks like my question is answered here: https://unix.stackexchange.com/questions/196802/remove-passphrase-from-private-key-and-set-specific-file-mode But that's a different site so I can't flag as duplicate. – thomasrutter Jul 07 '15 at 01:54
  • according to tradition, this still count as duplicate. – Archemar Jul 07 '15 at 14:19

1 Answers1

4

I found an answer to my question over at unix.stackexchange.com.

The idea is to use umask and run the commands in round brackets to execute it in a subshell, so umask doesn't affect the rest of the script.

( umask 077; openssl rsa -in secure.key -out insecure.key )
Community
  • 1
thomasrutter
  • 2,527
  • 1
  • 25
  • 34
  • 1
    Note: that will probably result in a key file with permission of 600 or 700; to get 400 I think the umask should be 0377. Not that there is really any significant difference between them in this particular case. – thomasrutter Jul 08 '15 at 01:02