How to Remove Passphrase from an RSA Private Key for Automation, OCI, Oracle, and Linux Servers


Many Linux system administrators, Oracle DBAs, and OCI engineers face a common and frustrating issue where SSH connections, automation scripts, or Oracle E-Business Suite cloning processes repeatedly ask for a private key passphrase. This problem usually appears suddenly, even though the same setup may have worked perfectly in the past. When automation is involved, a single passphrase prompt can cause scripts to hang, cron jobs to fail, and large deployments to stop unexpectedly.

This article explains why this happens, how to safely remove the passphrase from an RSA private key, and how the behavior changes before and after the fix. The examples use dummy values so the steps can be followed safely in any environment.

Why Encrypted Private Keys Cause Automation Failures

An RSA private key protected by a passphrase is encrypted by design. This encryption is useful on personal machines, but it becomes a problem on servers where non-interactive access is required. When tools such as SSH, SCP, Oracle EBS Rapid Clone, WebLogic scripts, or OCI automation try to use the key, they pause and wait for user input. Since automation has no way to enter a passphrase, the process fails or times out.

An encrypted RSA private key can be identified by specific headers inside the file. A typical encrypted key looks like this:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,AB12CD34EF56

(base64 encoded data)
-----END RSA PRIVATE KEY-----

The presence of the encryption headers confirms that the key will always ask for a passphrase.

What Happens Before Removing the Passphrase

Before fixing the issue, connecting to a server using the encrypted key always results in a prompt. This happens regardless of whether the connection is manual or automated.

ssh -i server_key.pem opc@203.0.113.10

The connection stops with a message asking for the passphrase. In automated jobs, this prompt is never answered, which causes Oracle EBS clone steps, CI/CD pipelines, and OCI provisioning scripts to fail silently or time out.

Safely Preparing to Modify the Private Key

Before making any change, it is critical to create a backup of the original private key. This ensures that the encrypted version can always be restored if needed.

cp server_key.pem server_key.pem.bak

Keeping a backup is a best practice and should never be skipped in production environments.

Removing the Passphrase from the RSA Private Key

The only correct and supported way to remove a passphrase from an RSA private key is by using OpenSSL. The following command decrypts the key and writes a new version without a passphrase.

openssl rsa -in server_key.pem -out server_key_nopass.pem

During execution, OpenSSL asks for the existing passphrase. This is expected and required. After the command completes successfully, the new file contains an unencrypted private key.

Securing the New Key File

Once the passphrase is removed, file permissions become even more important. SSH and Oracle tools require strict permissions on private keys. Set the correct permissions immediately after creating the new file.

chmod 600 server_key_nopass.pem

Incorrect permissions will cause SSH to reject the key even if the passphrase has been removed.

Verifying the Private Key Integrity

It is good practice to verify that the key is valid and readable. OpenSSL provides a simple check that confirms the key structure without prompting for a passphrase.

openssl rsa -check -in server_key_nopass.pem

If the command returns successfully, the key is valid and ready for use in automation.

How the Key Looks After the Fix

After removing the passphrase, the private key no longer contains encryption headers. The file begins and ends cleanly without any references to encryption methods.

-----BEGIN RSA PRIVATE KEY-----
(base64 encoded data)
-----END RSA PRIVATE KEY-----

This format allows tools to load the key instantly without waiting for user input.

Behavior After Removing the Passphrase

Once the unencrypted key is used, SSH connections proceed immediately without any prompts. Automation tools run smoothly, Oracle EBS Rapid Clone continues without interruption, and OCI provisioning scripts complete successfully.

ssh -i server_key_nopass.pem opc@203.0.113.10

The connection completes directly, confirming that the issue has been resolved.

Important Security Considerations

Removing a passphrase is acceptable and widely used on servers, cloud instances, and dedicated automation accounts. The key must be protected through file permissions and restricted access rather than passphrase encryption. This approach is standard in enterprise Linux, Oracle, and OCI environments.

Trying to manually edit the private key, embed the passphrase inside scripts, or weaken file permissions is unsafe and unsupported. OpenSSL is the only correct method to perform this task.







Please do like and subscribe to my youtube channel: https://www.youtube.com/@foalabs If you like this post please follow,share and comment