Decrypt and encrypted ssh private keys
Latest commit 36c5330 Jun 4, 2015 @isaacs Don't bother testing on 0.8
At least, not until it works.  The crypto.Cipher and crypto.Decipher
functionality is different, apparently. Throws a lot of typeerrors.
Failed to load latest commit information.
fixtures test Jun 2, 2013
.travis.yml Don't bother testing on 0.8 Jun 4, 2015
LICENSE isc license May 20, 2015 readme typo Jun 2, 2013
index.js minor cleanup Jun 2, 2013
package.json use tap for tests Jun 1, 2015
test.js use tap for tests Jun 1, 2015


Decrypt encrypted ssh private keys


var decrypt = require('ssh-key-decrypt');

// you have to actually know this already of course.
var passphrase = 'hoohah';

var fs = require('fs');
var path = require('path');

var keyfile = path.resolve(process.env.HOME, '.ssh', 'id_rsa');
var fileData = fs.readFileSync(keyfile, 'ascii');

var key = decrypt(fileData, passphrase);

// now key is the decoded data as a buffer
// You can also optionally pass in an output encoding

var b64Key = decrypt(fileData, passphrase, 'base64');

decrypt(data, passphrase, [outEnc='buffer'])

Data can be either a string or a buffer. It is the contents of the key file.

If the file is not encrypted, then the passphrase doesn't matter.

If the file is encrypted, then it'll decrypt it.

Either way, the data is returned in the output encoding specified.


This module is synchronous, as it performs no I/O. However, it can potentially be kind of slow, since it does a bunch of crypto and hashes, so do not call it often or in hot code paths.

Also, as this is crypto, and thus only either exactly right or extremely wrong, it throws if anything unexpected is encountered.

Supported Ciphers

  • des3, aka DES-EDE3-CBC
  • des, aka DES-CBC
  • aes128, aka AES-128-CBC
  • aes192, aka AES-192-CBC
  • aes256, aka AES-256-CBC

The cipher type is determined from the file. You do not have to specify this.