How to generate RSA private and public keys in your PC
  John Mwaniki /   07 Jan 2022

How to generate RSA private and public keys in your PC

In this article, you will learn what data encryption is, what RSA data encryption algorithm is, how it works and how to generate a pair of RSA private and public keys in your PC using the OpenSSL library in your Linux terminal or Windows command prompt.

What is encryption?

Encryption is the process of securing data by encoding it mathematically into an unreadable format known as ciphertext.

It is a data security practice for protecting sensitive information from being read by unauthorized parties.

An encrypted data will appear scrambled and meaningless to anyone who tries to view read it and must be decrypted to be read and make sense.

There exist various cryptographic algorithms for doing data encryption such as the DES (Data Encryption Standard), 3DES (Triple Data Encryption Standard), AES (Advanced Encryption Standard), RC4, and RSA (Rivest, Shamir, and Adleman) encryption among others. In this article, we put our focus on the RSA algorithm.

What is RSA?

RSA is the most popular and widely used asymmetric encryption algorithm available to the public. It also happens to be the very first asymmetric encryption algorithm.

Its name is derived from the surnames of the three mathematicians (Rivest, Shamir, and Adleman) who invented it.

RSA is considered an asymmetric algorithm due to its use of a pair of keys. Asymmetric encryption uses a key pair (private and public keys) that is mathematically linked to encrypt and decrypt data.

As their names suggest, a public key is shared publicly, while a private key is secret and known only by the key pair creator (it must not be shared with anyone).

How the RSA algorithm works

In RSA, either of the keys can encrypt the data, while the other key decrypts it. If for instance the public key is used for encryption, the private key must be used to decrypt the data.

Encrypting data with the public key

This is very applicable especially when sending sensitive data across a network such as the Internet. In such a case, the recipient of the data shares their public key with the sender.

The sender then encrypts the data using the public key and sends it to the recipient. Since the data was encrypted with the public key, it can only be decrypted using the private key.

Since the private key is kept secret by the data recipient, only him/her can decrypt that data. Even if a hacker accesses the data while in transit, they can read it, and thus it is secure.

Encrypting data with the private key

Alternatively, the data can be encrypted using the private key. Using the above example, the sender of the data encrypts it using their private key and sends the ciphertext (encrypted data) together with the public key to the recipient.

The recipient can then decrypt the data using the shared public key. The data can be read in transit using this method. The purpose of this method is not to prevent data from being read, but to verify the identity of the sender.

Since only the sender has the private key in this case, if a person accessed, decrypted, and modified the data in transit, they won't be able to encrypt the data in a way that the recipient public key can decrypt it (since they don't have the encrypting private key). Hence the recipient would know the data had been modified in transit.

The RSA algorithm is based on the fact that it is easy to generate a number by multiplying two large numbers, but extremely difficult to factorize that number back into the original prime numbers. The two keys are derived from two numbers, one of which is a multiplication of two large prime numbers. They both use the same two prime numbers to compute their value.

RSA private key size consideration

If somebody can factorize the large number, the private key is compromised. The encryption strength in RSA, therefore, relies on the key size. The larger the key size, the stronger the encryption.

You can therefore specify the private key size from the four options when creating it.

Key size Key strength
512 bits Low-strength key
1024 bits Medium-strength key
2048 bits High-strength key
4096 bits Very high-strength key

Though keys from 1024 bits in length are considered strong, experts believe that 1024 bit keys could be broken in the near future. I recommend you use from 2048 bits length.

How to create RSA private and public keys

We will focus on creating the keys using the OpenSSL library.

OpenSSL is a robust open-source software library/toolkit for general-purpose cryptography and secure communication.

OpenSSL allows users to perform various SSL related tasks, such as CSR (Certificate Signing Request) and private keys generation and SSL certificate installation.

It is available for Linux, Windows, macOS, and BSD systems. It comes pre-compiled in most Linux distributions. If you are on Windows, you will need to first install it.

Here is how to install OpenSSL in Windows.

How to generate private and public keys on Linux

Open the terminal of your Linux distribution.

Navigate to the directory where you want to generate the RSA keys using the cd command. Alternatively, you can right-click on the folder in which you want to create the keys and select the "Open in terminal" option to open the terminal on that directory.

Type the command below and hit enter to generate the private key.

openssl genrsa -out privatekey.pem 2048
Generating RSA private key on Linux

Once the above command is executed successfully, a file named "privatekey.pem" will be created on your present directory. The "2048" above specifies the private key size. You can modify it accordingly depending on your required size.

Proceed to export the public key from the key pair generated using the command below.

openssl rsa -in privatekey.pem -out publickey.pem -pubout -outform PEM
Generating RSA public key on Linux

Another file named "publickey.pem" will be created in the directory. Below is the screenshot of the two files created in my directory from the commands above.

Generated RSA keys on Linux

On opening the files, the private key (privatekey.pem) looks as shown below:


A public key (publickey.pem) looks as shown below:

-----END PUBLIC KEY-----

How to generate private and public keys in Windows

As I mentioned earlier, you need to make sure the OpenSSL library is installed in your Windows PC (as it is not installed by default), or else it will fail to generate the RSA keys and give the error below.

OpenSSL not recognized in windows

Here is how to install OpenSSL in Windows.

Once you have installed it, open the command prompt.

Use the cd command to navigate to the directory in which you want to create the keys.

Once in the directory of your choice in cmd, use the following command to generate an RSA private key.

openssl genrsa -out privatekey.pem 2048
Generating RSA private key in Windows

On successful execution of the above command, a file named "privatekey.pem" will be created on your present directory.

Export the public key from the key pair generated using the command below.

openssl rsa -in privatekey.pem -out publickey.pem -pubout -outform PEM
Generating RSA public key in Windows

On successful execution, a new file named "publickey.pem" will be created on your present directory. Now you will be having two files for the two keys as shown below.

Generated RSA keys in Windows

The private key should be kept secret and should never be shared. On the other hand, the public key can be shared or embedded in application scripts.

I also highly recommend that you should back up the keys. If by any chance you lose these keys, just forget the encrypted data as well.