PKCS#8 Private Key Encryption Demo

genkeys.sh

#!/bin/bash

# Generates 2048 and 4096 bit SSH private keys, then encrypts them in the following
# variations:
#
# Ciphers:
#   * aes-192-cbc
#   * aes-256-cbc
#
# PBKDF2 Iterations:
#   * 100,000
#   * 250,000
#   * 500,000
#   * 1,000,000
#
# This will allow you to quickly see how long keys take to decrypt given different
# key sizes (2048, 4096), different encryption algorithms (AES-192-CBC, AES-256-CBC),
# and most importantly, different amounts of PBKDF2 iterations.
#
# You'll need a build of OpenSSL which contains the custom iteration patch for the 
# pkcs8 tool. See: https://j.mp/U9EBWO


set -e 

OPENSSL="./openssl"
RAW_2048="raw-2048.pem"
RAW_4096="raw-4096.pem"

echo "Generating 2048 bit RSA key to $RAW_2048..."
$OPENSSL genrsa -rand /dev/urandom -out "$RAW_2048" 2048 && chmod 0600 "$RAW_2048" \
    && ssh-keygen -y -f "$RAW_2048" > "${RAW_2048%pem}pub.pem"

echo "Generating 4096 bit RSA key to $RAW_4096..."
$OPENSSL genrsa -rand /dev/urandom -out "$RAW_4096" 4096 && chmod 0600 "$RAW_4096" \
    && ssh-keygen -y -f "$RAW_4096" > "${RAW_4096%pem}pub.pem"

for keybits in 2048 4096 ; do
    for cipher in aes-192-cbc aes-256-cbc ; do 
        for iter in 100000 250000 500000 1000000 ; do
            out="pkcs8-${keybits}bits-$cipher-$iter-iter.pem"

            echo "Generating PKCS#8 container in $cipher mode with $iter PBKDF iterations to $out..."
            
            # select our key input file
            if [ "$keybits" == "2048" ]; then source_key="$RAW_2048" ; else source_key="$RAW_4096" ; fi
            
            # generate the thing!
            $OPENSSL pkcs8 -passout pass:password -in "$source_key" -out "$out" -topk8 -v2 "$cipher" -iter "$iter"
        done
    done
done