I have an encrypted key created like this:
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out out.key
This generates a key like so:
-----BEGIN EC PRIVATE KEY-----\
Proc-Type: 4,ENCRYPTED\
DEK-Info: AES-128-CBC,88BFB9196A5A03B0206AA624EC55411F
4g025eMCoyW9ye/byEtTxMQxFO5ezl/LhCgjdGtIt2NdsE15kO1H9CONk5xskgMN
B6PK7ZpzwP9JcQZ+0p/sfNkd9zia70tP/c9jIjui9NbhM0WI7m75MJRVNPDv8Zzy
W2yLGWPFtQMF8cR3rW4iN/ycpI+QLtRo4/dbzhHqJ/E=\
-----END EC PRIVATE KEY-----
However, I am not able to decrypt it. Using the following command:
openssl enc -d -aes-128-cbc -pass file:passphrase.txt -in out.key -out decrypted.key
results in a bad magic number.
What am I doing wrong?
You are using the wrong command to decrypt the key. The "openssl enc" command is used to encrypt and decrypt arbitrary ciphertext.
To convert an encrypted ec key into a non-encrypted ec key you can instead do:
openssl ec -passin file:passphrase.txt -in encrypted.key -out decrypted.key
OR
openssl ec -passin pass:mypassword -in encrypted.key -out decrypted.key