How to Remove Passphrase from an RSA Private Key for SSH Automation (Linux, OCI & Oracle EBS)

Many Linux administrators, Oracle DBAs, and OCI engineers face a common issue where SSH connections or automation scripts repeatedly ask for a private key passphrase. This causes cron jobs to hang, Oracle EBS cloning to fail, and cloud provisioning scripts to stop unexpectedly.

This guide explains the correct and secure way to remove a passphrase from an RSA private key for non-interactive SSH authentication.

Quick Answer: Remove Passphrase from RSA Private Key

Run the following commands: 

openssl rsa -in server_key.pem -out server_key_nopass.pem
chmod 600 server_key_nopass.pem

This creates a new private key without encryption so SSH automation works without prompts.

Why Encrypted Private Keys Break Automation

An encrypted RSA private key requires manual passphrase entry. While secure for personal systems, it causes failures in:

  • SSH automation scripts
  • Cron jobs
  • Oracle EBS Rapid Clone
  • WebLogic deployment automation
  • OCI provisioning scripts
  • CI/CD pipelines

How to Check if Your Key is Encrypted

cat server_key.pem
If you see: 
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,XXXX
The key is encrypted and will prompt for passphrase.

Before Removing Passphrase (Failure Scenario) 

ssh -i server_key.pem opc@203.0.113.10
Result: 
Enter passphrase for key 'server_key.pem':
In automation environments, this causes:
  • Script timeouts
  • Deployment failures
  • Clone interruptions
  • Backup job hangs

Step 1: Backup the Original Key 

cp server_key.pem server_key.pem.bak
Always keep a backup in production environments.

Step 2: Remove Passphrase Using OpenSSL 

openssl rsa -in server_key.pem -out server_key_nopass.pem
You will be prompted for the existing passphrase once. The new file will not contain encryption headers.

Step 3: Secure the New Key 

chmod 600 server_key_nopass.pem
Incorrect permissions will cause SSH to reject the key.

Verify the RSA Key Integrity 

openssl rsa -check -in server_key_nopass.pem
Expected output: 
RSA key ok

After Removing Passphrase (Success Scenario) 

ssh -i server_key_nopass.pem opc@203.0.113.10
Now:
  • No passphrase prompt
  • Immediate SSH login
  • Automation works successfully
  • Oracle EBS clone continues smoothly

Troubleshooting Common SSH Key Errors

Permission Denied (publickey)

chmod 600 server_key_nopass.pem
chmod 700 ~/.ssh
Verify authorized keys: 
cat ~/.ssh/authorized_keys
---

Still Asking for Passphrase?

Ensure you are using the correct key file: 
ssh -i server_key_nopass.pem user@server
---

Bad Permissions Warning

If SSH shows: 
Permissions 0644 are too open.
Fix: 
chmod 600 private_key.pem

Enterprise Security Best Practices

  • Use dedicated automation service accounts
  • Restrict private key permissions strictly
  • Store keys in protected directories
  • Do not embed passphrases in scripts
  • Monitor SSH access logs regularly

Removing passphrase encryption is standard practice in enterprise Linux, Oracle E-Business Suite, and OCI automation environments when proper access control is maintained.

Conclusion

If SSH automation fails due to passphrase prompts, removing encryption using OpenSSL is the correct and secure solution.

If you found this article helpful, please share and comment.