Generate a Key Pair

Run the following commands at a Linux or macOS command line to generate a key pair consisting of a private key and a public key.

openssl genrsa -out private.key 4096

This command generates a private key in the specified location (in this case, because no file path was provided, the private key is generated in the current directory, in a file named private.key). Next you need to extract the public key, which is shared with StrongDM to encrypt logs and other data.

openssl rsa -pubout -in private.key -out public.pem

If you look at public.pem you see text similar to the following:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyfST3A2ayVY9NVEoYk88
wA73JQEieNML0yS4gGXuTnvoPwijXh2Ez/eDbtg2u9+R1iz9kxE2LOfQB9OH2qzo
omlt7ua1IHGRQS+tGWeoA5Im4tRZOcS3w28uOnepy2ofoc+MtwpXyuY7ch4s+fUD
slcUY+BLhCWJpqp2cIgqivcVjcwNaF+nonqKzPpfqquke3u4bno3Urcq9qIHEb+H
ebomt96nFqwXqOyZrr8kvhckuKHZzBAdQiTocAhjvAxmzl+NzDanE3VAnLIZgapH
NawjUiiSBo6Ox2d65qtv+lg7dh3zq7iSgmm4ljeYjlXdASz6OW8EfCyltX3Vuc4W
GGUMtjEVxD6jKmheKHvbIig9NiewpgxFXQUznM70PguByWw5GPkt/jj5WWPx2X1Z
ab3J2JKqoWoOEvtR9aje1MKasZVD47CQKRE+MYN3J2I3mhsXNt/9dZTz/VLtRTUa
pMexP7N/i7wPhbsIgFyqqCqWgEZ+qgWJ+Yl13aI20GfFrUwTdh34o4t6LboCWs9e
Pn9ntRIxbaC448DDBylxnxyZUCE5eK8QBQfY72yLwnLHLztjJeLy4l7wv5fZwDlz
9HasFk0H8cZkNU3UZMjezYv0tYcaN8ko31TD2uLcquc/lylIWGlE0W4oXbOFcIvt
FRpBqdDfjdHwUVhJIfy8DkECAwEAAQ==
-----END PUBLIC KEY-----

This data is what you copy and paste into the StrongDM Admin UI when you turn on encryption at the StrongDM gateway and/or relay level and choose to use your own public key. Remember to copy and paste the entire contents of the key into the text box, including the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- lines.

Store your private key (private.key by default) in a safe place. If you lose this key you cannot decrypt your logs, queries, and sessions.