FIPS mode can't decrypt existing passphrase-protected ssh keys

Solution Verified - Updated -


  • It seems encrypted ssh private keys can't be decrypted on FIPS systems. Why? What to do about it?

  • We generated a passphrase-protected ssh keypair with ssh-keygen and used it successfully
    After we enabled FIPS mode (e.g., by following instructions for RHEL6), our ssh key no longer accepts our passphrase

    [root]# ssh
    FIPS mode initialized
    Enter passphrase for key '/root/.ssh/id_rsa':
    Enter passphrase for key '/root/.ssh/id_rsa':
    Enter passphrase for key '/root/.ssh/id_rsa':'s password:
  • SSH keys not working after FIPS mode enabled on server

  • How to create ssh keys in a non FIPS compliant systems so that the ssh keys are complaint after the system is upgraded to FIPS compliant mode.


  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In