The simplest way to generate a key pair is to run ssh-keygen without arguments. In this case, it will prompt for the file in which to store keys. Here's an example: klar (11:39) ssh-keygen Generating public/private rsa key pair. Usage Guide - RSA Encryption and Decryption Online. In the first section of this tool, you can generate public or private keys. To do so, select the RSA key size among 515.
While Encrypting a File with a Password from the Command Line using OpenSSLis very useful in its own right, the real power of the OpenSSL library is itsability to support the use of public key cryptograph for encrypting orvalidating data in an unattended manner (where the password is not required toencrypt) is done with public keys.
The Commands to Run
Generate a 2048 bit RSA Key
You can generate a public and private RSA key pair like this:
openssl genrsa -des3 -out private.pem 2048
That generates a 2048-bit RSA key pair, encrypts them with a password you provideand writes them to a file. You need to next extract the public key file. You willuse this, for instance, on your web server to encrypt content so that it canonly be read with the private key.
Export the RSA Public Key to a File
This is a command that is
openssl rsa -in private.pem -outform PEM -pubout -out public.pem
The -pubout flag is really important. Be sure to include it.
Next open the public.pem and ensure that it starts with-----BEGIN PUBLIC KEY-----. This is how you know that this file is thepublic key of the pair and not a private key.
To check the file from the command line you can use the less command, like this:
less public.pem
Do Not Run This, it Exports the Private Key
A previous version of the post gave this example in error.
openssl rsa -in private.pem -out private_unencrypted.pem -outform PEM
The error is that the -pubout was dropped from the end of the command.That changes the meaning of the command from that of exporting the public keyto exporting the private key outside of its encrypted wrapper. Inspecting theoutput file, in this case private_unencrypted.pem clearly shows that the keyis a RSA private key as it starts with -----BEGIN RSA PRIVATE KEY-----.
Visually Inspect Your Key Files
It is important to visually inspect you private and public key files to makesure that they are what you expect. OpenSSL will clearly explain the nature ofthe key block with a -----BEGIN RSA PRIVATE KEY----- or -----BEGIN PUBLIC KEY-----.
You can use less to inspect each of your two files in turn:
less private.pemto verify that it starts with a-----BEGIN RSA PRIVATE KEY-----less public.pemto verify that it starts with a-----BEGIN PUBLIC KEY-----
The next section shows a full example of what each key file should look like.
The Generated Key Files
The generated files are base64-encoded encryption keys in plain text format.If you select a password for your private key, its file will be encrypted withyour password. Be sure to remember this password or the key pair becomes useless.
The private.pem file looks something like this:
The public key, public.pem, file looks like:
Protecting Your Keys
Depending on the nature of the information you will protect, it’s important tokeep the private key backed up and secret. The public key can be distributedanywhere or embedded in your web application scripts, such as in your PHP,Ruby, or other scripts. Again, backup your keys!
Remember, if the key goes away the data encrypted to it is gone. Keeping aprinted copy of the key material in a sealed envelope in a bank safety depositbox is a good way to protect important keys against loss due to fire or harddrive failure.
Oh, and one last thing.
If you, dear reader, were planning any funny business with the private key that I have just published here. Know that they were made especially for this series of blog posts. I do not use them for anything else.
Found an issue?
Rietta plans, develops, and maintains applications.
Learn more about our services or drop us your email and we'll e-mail you back.
Other Blog Articles Published by Rietta.com
-->
The CryptGenKey function generates a random cryptographic session key or a public/private key pair. A handle to the key or key pair is returned in phKey. This handle can then be used as needed with any CryptoAPI function that requires a key handle.
The calling application must specify the algorithm when calling this function. Because this algorithm type is kept bundled with the key, the application does not need to specify the algorithm later when the actual cryptographic operations are performed.
Syntax
Parameters
hProv
A handle to a cryptographic service provider (CSP) created by a call toCryptAcquireContext.
Algid
AnALG_ID value that identifies the algorithm for which the key is to be generated. Values for this parameter vary depending on the CSP used.
For ALG_ID values to use with the Microsoft Base Cryptographic Provider, seeBase Provider Algorithms.
For ALG_ID values to use with the Microsoft Strong Cryptographic Provider or the Microsoft Enhanced Cryptographic Provider, seeEnhanced Provider Algorithms.
For a Diffie-Hellman CSP, use one of the following values.
| Value | Meaning |
|---|---|
|
Specifies an 'Ephemeral' Diffie-Hellman key. |
|
Specifies a 'Store and Forward' Diffie-Hellman key. |
In addition to generating session keys for symmetric algorithms, this function can also generate public/private key pairs. Each CryptoAPI client generally possesses two public/private key pairs. To generate one of these key pairs, set the Algid parameter to one of the following values.
| Value | Meaning |
|---|---|
|
Key exchange |
|
Digital signature |
dwFlags
Specifies the type of key generated. The sizes of a session key, RSA signature key, and RSA key exchange keys can be set when the key is generated. The key size, representing the length of the key modulus in bits, is set with the upper 16 bits of this parameter. Thus, if a 2,048-bit RSA signature key is to be generated, the value 0x08000000 is combined with any other dwFlags predefined value with a bitwise-OR operation. The upper 16 bits of 0x08000000 is 0x0800, or decimal 2,048. The RSA1024BIT_KEY value can be used to specify a 1024-bit RSA key.
Due to changing export control restrictions, the default CSP and default key length may change between operating system versions. It is important that both the encryption and decryption use the same CSP and that the key length be explicitly set using the dwFlags parameter to ensure interoperability on different operating system platforms.
In particular, the default RSA Full Cryptographic Service Provider is the Microsoft RSA Strong Cryptographic Provider. The default DSS Signature Diffie-Hellman Cryptographic Service Provider is the Microsoft Enhanced DSS Diffie-Hellman Cryptographic Provider. Each of these CSPs has a default 128-bit symmetric key length for RC2 and RC4 and a 1,024-bit default key length for public key algorithms.
If the upper 16 bits is zero, the default key size is generated. If a key larger than the maximum or smaller than the minimum is specified, the call fails with the ERROR_INVALID_PARAMETER code.
The following table lists minimum, default, and maximum signature and exchange key lengths beginning with Windows XP.
| Key type and provider | Minimum length | Default length | Maximum length |
|---|---|---|---|
| RSA Base Provider
Signature and ExchangeKeys |
384 | 512 | 16,384 |
| RSA Strong and Enhanced Providers
Signature and Exchange Keys |
384 | 1,024 | 16,384 |
| DSS Base Providers
Signature Keys |
512 | 1,024 | 1,024 |
| DSS Base Providers
Exchange Keys |
Not applicable | Not applicable | Not applicable |
| DSS/DH Base Providers
Signature Keys |
512 | 1,024 | 1,024 |
| DSS/DH Base Providers
Exchange Keys |
512 | 512 | 1,024 |
| DSS/DH Enhanced Providers
Signature Keys |
512 | 1,024 | 1,024 |
| DSS/DH Enhanced Providers
Exchange Keys |
512 | 1,024 | 4,096 |
For session key lengths, see CryptDeriveKey.
For more information about keys generated using Microsoft providers, seeMicrosoft Cryptographic Service Providers.
The lower 16-bits of this parameter can be zero or a combination of one or more of the following values.
| Value | Meaning |
|---|---|
|
If this flag is set, the key can be exported until its handle is closed by a call to CryptDestroyKey. This allows newly generated keys to be exported upon creation for archiving or key recovery. After the handle is closed, the key is no longer exportable. |
|
This flag is not used. |
|
If this flag is set, then the key is assigned a random salt value automatically. You can retrieve this salt value by using the CryptGetKeyParam function with the dwParam parameter set to KP_SALT.
If this flag is not set, then the key is given a salt value of zero. When keys with nonzero salt values are exported (throughCryptExportKey), then the salt value must also be obtained and kept with the key BLOB. |
|
This flag is not used. |
|
If this flag is set, then the key can be transferred out of the CSP into a key BLOB by using the CryptExportKey function. Because session keys generally must be exportable, this flag should usually be set when they are created.
If this flag is not set, then the key is not exportable. For a session key, this means that the key is available only within the current session and only the application that created it will be able to use it. For a public/private key pair, this means that the private key cannot be transported or backed up. This flag applies only to session key and private key BLOBs. It does not apply to public keys, which are always exportable. |
|
This flag specifies strong key protection. When this flag is set, the user is prompted to enter a password for the key when the key is created. The user will be prompted to enter the password whenever this key is used.
This flag is only used by the CSPs that are provided by Microsoft. Third party CSPs will define their own behavior for strong key protection. Specifying this flag causes the same result as calling this function with the CRYPT_USER_PROTECTED flag when strong key protection is specified in the system registry. If this flag is specified and the provider handle in the hProv parameter was created by using the CRYPT_VERIFYCONTEXT or CRYPT_SILENT flag, this function will set the last error to NTE_SILENT_CONTEXT and return zero. Windows Server 2003 and Windows XP: This flag is not supported. |
|
This flag is not used. |
|
This flag is not used. |
|
This flag specifies that a no salt value gets allocated for a forty-bit symmetric key. For more information, see Salt Value Functionality. |
|
This flag is not used. |
|
This flag specifies an initial Diffie-Hellman or DSS key generation. This flag is useful only with Diffie-Hellman and DSS CSPs. When used, a default key length will be used unless a key length is specified in the upper 16 bits of the dwFlags parameter. If parameters that involve key lengths are set on a PREGEN Diffie-Hellman or DSS key using CryptSetKeyParam, the key lengths must be compatible with the key length set here. |
|
This flag is not used. |
|
This flag is not used. |
|
This flag is not used. |
|
If this flag is set, the user is notified through a dialog box or another method when certain actions are attempting to use this key. The precise behavior is specified by the CSP being used. If the provider context was opened with the CRYPT_SILENT flag set, using this flag causes a failure and the last error is set to NTE_SILENT_CONTEXT. |
|
This flag is not used. |
phKey
Address to which the function copies the handle of the newly generated key. When you have finished using the key, delete the handle to the key by calling the CryptDestroyKey function.
Return value
Returns nonzero if successful or zero otherwise.
For extended error information, callGetLastError.
The error codes prefaced by 'NTE' are generated by the particular CSP being used. Some possible error codes are listed in the following table.
| Return code | Description |
|---|---|
|
One of the parameters specifies a handle that is not valid. |
|
One of the parameters contains a value that is not valid. This is most often a pointer that is not valid. |
|
The Algid parameter specifies an algorithm that this CSP does not support. |
|
The dwFlags parameter contains a value that is not valid. |
|
The hProv parameter does not contain a valid context handle. |
|
The function failed in some unexpected way. |
|
The provider could not perform the action because the context was acquired as silent. |
Remarks
If keys are generated for symmetricblock ciphers, the key, by default, is set up in cipher block chaining (CBC) mode with an initialization vector of zero. This cipher mode provides a good default method for bulk encrypting data. To change these parameters, use theCryptSetKeyParam function.
Jul 10, 2019 1. Select Broadcast Settings from the settings menu. Select Twitch as your Streaming Service and click Optimize on the bottom-left of the menu. Twitch is the world`s leading video platform and community for gamers. Where is twitch key generator obs. Aug 12, 2014 #2. Go to your twitch dashboard and find your stream key, when you click the tab it should have something like 'live' followed by a bunch of numbers and stuff. Copy that and then, in your stream settings on OBS, paste the stream key in the stream key section. Mar 27, 2020 You’ll get a warning message that you should never show your key to anyone and not even the twitch admins. Next, indicate that accept the warning- then highlight your streaming key. Now, you’ll want to add this key to OBS. Click File, settings Stream and then you’re going to select your service, which is going to be “Twitch”. Dec 12, 2017 When you use a program like Xsplit, OBS or any other streaming software you need to have your Twitch Stream Key in order to broadcast to your own channel. To find your Twitch Stream Key go to www.twitch.tv and find the Dashboard by clicking on your username.
To choose an appropriate key length, the following methods are recommended:
- Enumerate the algorithms that the CSP supports and get maximum and minimum key lengths for each algorithm. To do this, call CryptGetProvParam with PP_ENUMALGS_EX.
- Use the minimum and maximum lengths to choose an appropriate key length. It is not always advisable to choose the maximum length because this can lead to performance issues.
- After the desired key length has been chosen, use the upper 16 bits of the dwFlags parameter to specify the key length.
Examples
Generate 128 Bit Rsa Key Fob
The following example shows the creation of a random session key. For an example that includes the complete context for this example, see Example C Program: Encrypting a File. For another example that uses this function, see Example C Program: Decrypting a File.
Requirements
| Minimum supported client | Windows XP [desktop apps only] |
| Minimum supported server | Windows Server 2003 [desktop apps only] |
| Target Platform | Windows |
| Header | wincrypt.h |
| Library | Advapi32.lib |
| DLL | Advapi32.dll |
128 Bit Rsa Key Generator
See also