How to generate RSA private and public keys in your PC
John Mwaniki / Updated on 07 Jul 2024In this article, you will learn what data encryption is, what RSA data encryption algorithm is, how it works and how to generate a pair of RSA private and public keys in your PC using the OpenSSL library in your Linux terminal or Windows command prompt.
What is encryption?
Encryption is the process of securing data by encoding it mathematically into an unreadable format known as ciphertext.
It is a data security practice for protecting sensitive information from being read by unauthorized parties.
An encrypted data will appear scrambled and meaningless to anyone who tries to view read it and must be decrypted to be read and make sense.
There exist various cryptographic algorithms for doing data encryption such as the DES (Data Encryption Standard), 3DES (Triple Data Encryption Standard), AES (Advanced Encryption Standard), RC4, and RSA (Rivest, Shamir, and Adleman) encryption among others. In this article, we put our focus on the RSA algorithm.
What is RSA?
RSA is the most popular and widely used asymmetric encryption algorithm available to the public. It also happens to be the very first asymmetric encryption algorithm.
Its name is derived from the surnames of the three mathematicians (Rivest, Shamir, and Adleman) who invented it.
RSA is considered an asymmetric algorithm due to its use of a pair of keys. Asymmetric encryption uses a key pair (private and public keys) that is mathematically linked to encrypt and decrypt data.
As their names suggest, a public key is shared publicly, while a private key is secret and known only by the key pair creator (it must not be shared with anyone).
How the RSA algorithm works
In RSA, either of the keys can encrypt the data, while the other key decrypts it. If for instance the public key is used for encryption, the private key must be used to decrypt the data.
Encrypting data with the public key
This is very applicable especially when sending sensitive data across a network such as the Internet. In such a case, the recipient of the data shares their public key with the sender.
The sender then encrypts the data using the public key and sends it to the recipient. Since the data was encrypted with the public key, it can only be decrypted using the private key.
Since the private key is kept secret by the data recipient, only him/her can decrypt that data. Even if a hacker accesses the data while in transit, they can't read it, and thus it is secure.
Encrypting data with the private key
Alternatively, the data can be encrypted using the private key. Using the above example, the sender of the data encrypts it using their private key and sends the ciphertext (encrypted data) together with the public key to the recipient.
The recipient can then decrypt the data using the shared public key. The data can be read in transit using this method. The purpose of this method is not to prevent data from being read, but to verify the identity of the sender.
Since only the sender has the private key in this case, if a person accessed, decrypted, and modified the data in transit, they won't be able to encrypt the data in a way that the recipient public key can decrypt it (since they don't have the encrypting private key). Hence the recipient would know the data had been modified in transit.
The RSA algorithm is based on the fact that it is easy to generate a number by multiplying two large numbers, but extremely difficult to factorize that number back into the original prime numbers. The two keys are derived from two numbers, one of which is a multiplication of two large prime numbers. They both use the same two prime numbers to compute their value.
RSA private key size consideration
If somebody can factorize the large number, the private key is compromised. The encryption strength in RSA, therefore, relies on the key size. The larger the key size, the stronger the encryption.
You can therefore specify the private key size from the four options when creating it.
Key size | Key strength |
---|---|
512 bits | Low-strength key |
1024 bits | Medium-strength key |
2048 bits | High-strength key |
4096 bits | Very high-strength key |
Though keys from 1024 bits in length are considered strong, experts believe that 1024 bit keys could be broken in the near future. I recommend you use from 2048 bits length.
How to create RSA private and public keys
We will focus on creating the keys using the OpenSSL library.
OpenSSL is a robust open-source software library/toolkit for general-purpose cryptography and secure communication.
OpenSSL allows users to perform various SSL related tasks, such as CSR (Certificate Signing Request) and private keys generation and SSL certificate installation.
It is available for Linux, Windows, macOS, and BSD systems. It comes pre-compiled in most Linux distributions. If you are on Windows, you will need to first install it.
Here is how to install OpenSSL in Windows.
How to generate private and public keys on Linux
Open the terminal of your Linux distribution.
Navigate to the directory where you want to generate the RSA keys using the cd command. Alternatively, you can right-click on the folder in which you want to create the keys and select the "Open in terminal" option to open the terminal on that directory.
Type the command below and hit enter to generate the private key.
openssl genrsa -out privatekey.pem 2048
Once the above command is executed successfully, a file named "privatekey.pem" will be created on your present directory. The "2048" above specifies the private key size. You can modify it accordingly depending on your required size.
Proceed to export the public key from the key pair generated using the command below.
openssl rsa -in privatekey.pem -out publickey.pem -pubout -outform PEM
Another file named "publickey.pem" will be created in the directory. Below is the screenshot of the two files created in my directory from the commands above.
On opening the files, the private key (privatekey.pem) looks as shown below:
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAypJ4HB0kpxTvvEtOlT1jmtqTU2iY3m6VRx+xRJfP9UuGMT0q
BC8/D5a/MRgTeSyJtZbmn8Jvu5ZNefDcHOgtv0yZ+BqRdew5sXd7xdzFAN0dgaBd
vEAT9HXn+dKI9HGh7CMjH3JV1eNRwPLu5u3CbYiIrV3UM/2ogiZwsQsBHZcprbGl
pdRa6yy+AXdB61BEGvdBQDvT0ND0q36sQkpG9qQokDxk77HyFx6b3YS8O+LXeb+A
ka71sF/voTEhbMiUIF6jaWosoWYse4B0hZ2P0i+3CPtScgCA3n9XCcGXKj6g9wY/
tEywsCfnS03KRTpVhpIjZb/xMKEcMOVl2BFA1wIDAQABAoIBAQCSwKWPCHXjLUG4
UX4uk/iy2KJejKoiik5O5mDP5oNbm0kuJrdnrKqsqnL8KAsDgAaLrTSKjJvRdEPQ
kXOE5ZcuvVnV6blzip0JOhxK7XMy+v1DSWBe3rUWJszVqXZaUHAT2Ci7wWL5vuMd
O2Fjnt955q3Nmun+eEc5cou1VtmKCwvCIG857+FTzTdlmWcdDXTWIqbE7/OyuLcB
YGmqlXnKLGx9+devRDNMwg3vTNDAeDY6b5WJWVtZjIaHLzMtXr3Rjkposu1eF8yF
cGVW9AQpwecGsiMmCVOYwIKxGTe0xNOrw2LUnuAcD8unUTpI4y7MRM4tZexhG8+P
b4wSpyjhAoGBAPaMZZUdfVQ/8zQpqgxSYtbYHR3luYO2mDLEgTx7K3whuOFFIr3N
rfOMUxhRmCATYZHfLSDVbym7eFn2f5+9XXlB14z8R61wiCpHWtxKyl/Ai4yWcIqx
jGgWf0iCe0BDVZuPihM9cTRFDwK/P5BtsU8afH0ufggr4KuhNDxjHyRvAoGBANJW
fkcxwq+k5wYn5oEwutyK95LJRx3NcBSdWX5Xb4TVxRQDeLGOEkIm/jochafJg8qk
TMZJHXIycD/GNGZuXr16jJZtJix+fpmJ8yHj667QVVd9HWkOmifCfTJVTW5TJVKS
KYW5EoX3xja8fgZ0sUiCWEJghCr/+/PhpN7zEW4ZAoGAHh9DHffPYya5CQt6Gi1K
pCMdU5TImJ4LdFBr1b7arjzUgLlYqEXj1di0Ikl9w5V6mz7gHZ3WCgw8hQlHyHVz
YSg5NKFyBG+2QywansWIejBlHFUZBOjyVZlCDdLbShuv7uSXowgjt5YkYlqJYpT0
T8zVntm6TjdGKNH2NtaJbIMCgYA85jwTou2qa0VUe/L6TsCboETEJDDKCTQ9U72Y
nfo07Kvt+n9UcT0KGD4dVyq/hNH6tw1fj8XNzZrAbEO5sJUPqU7RMvMNiOZg0Bcs
JdCUQc+j0B7WzxqFDoOvMhGEMuCogpcxF3+seCvUp0iZ1+mIg+zH8yfxR0KMvzU8
NAZE6QKBgFuv6zSsGOCqm7pTdb4YWsd944ZtXWQ3YTFUWl+iRsUJ2le3FLXVZ06o
LPLQZyNHzhCr0FRxsmyAXaKZ0JTULYpq5ee63RJFnp5+gxJNNdvzxlw9e29uMz+/
o1sRB6tqj2ZunrOtf1W0khKJ1y7U0PAYa0ha9LwERWeoemJqggQ7
-----END RSA PRIVATE KEY-----
A public key (publickey.pem) looks as shown below:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAypJ4HB0kpxTvvEtOlT1j
mtqTU2iY3m6VRx+xRJfP9UuGMT0qBC8/D5a/MRgTeSyJtZbmn8Jvu5ZNefDcHOgt
v0yZ+BqRdew5sXd7xdzFAN0dgaBdvEAT9HXn+dKI9HGh7CMjH3JV1eNRwPLu5u3C
bYiIrV3UM/2ogiZwsQsBHZcprbGlpdRa6yy+AXdB61BEGvdBQDvT0ND0q36sQkpG
9qQokDxk77HyFx6b3YS8O+LXeb+Aka71sF/voTEhbMiUIF6jaWosoWYse4B0hZ2P
0i+3CPtScgCA3n9XCcGXKj6g9wY/tEywsCfnS03KRTpVhpIjZb/xMKEcMOVl2BFA
1wIDAQAB
-----END PUBLIC KEY-----
How to generate private and public keys in Windows
As I mentioned earlier, you need to make sure the OpenSSL library is installed in your Windows PC (as it is not installed by default), or else it will fail to generate the RSA keys and give the error below.
Here is how to install OpenSSL in Windows.
Once you have installed it, open the command prompt.
Use the cd command to navigate to the directory in which you want to create the keys.
Once in the directory of your choice in cmd, use the following command to generate an RSA private key.
openssl genrsa -out privatekey.pem 2048
On successful execution of the above command, a file named "privatekey.pem" will be created on your present directory.
Export the public key from the key pair generated using the command below.
openssl rsa -in privatekey.pem -out publickey.pem -pubout -outform PEM
On successful execution, a new file named "publickey.pem" will be created on your present directory. Now you will be having two files for the two keys as shown below.
The private key should be kept secret and should never be shared. On the other hand, the public key can be shared or embedded in application scripts.
I also highly recommend that you should back up the keys. If by any chance you lose these keys, just forget the encrypted data as well.