Hi All, Reading code learns a lot. I discovered the -Z option of ssh-keygen which exists since 2013. Here is a patch to document this option in ssh-keygen.1 man page. It also document the -a option in the places where it is useful. Tell me if this is helpful or not. --- ?ssh-keygen.1 | 22 +++++++++++++++++++++- ?1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 059c1b0341e8..018b2f205012 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -47,17 +47,21 @@ ?.Op Fl b Ar bits ?.Op Fl C Ar comment ?.Op Fl f Ar output_keyfile -.Op Fl m Ar format +.Op Fl m Ar key_format ?.Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa ?.Op Fl N Ar new_passphrase ?.Op Fl O Ar option ?.Op Fl w Ar provider +.Op Fl a Ar rounds +.Op Fl Z Ar cipher_name ?.Nm ssh-keygen ?.Fl p ?.Op Fl f Ar keyfile ?.Op Fl m Ar format ?.Op Fl N Ar new_passphrase ?.Op Fl P Ar old_passphrase +.Op Fl a Ar rounds +.Op Fl Z Ar cipher_name ?.Nm ssh-keygen ?.Fl i ?.Op Fl f Ar input_keyfile @@ -74,6 +78,8 @@ ?.Op Fl C Ar comment ?.Op Fl f Ar keyfile ?.Op Fl P Ar passphrase +.Op Fl a Ar rounds +.Op Fl Z Ar cipher_name ?.Nm ssh-keygen ?.Fl l ?.Op Fl v @@ -735,6 +741,20 @@ The default serial number is zero. ?When generating a KRL, the ?.Fl z ?flag is used to specify a KRL version number. +.It Fl Z Ar cipher_name +When saving a private key, this option specfies the cipher to use to encrypt +the private key part of the file. +See the +.Cm Ciphers +keyword in +.Xr ssh_config 5 +for more information. +.Pp +The list of available ciphers may also be obtained using +.Qq ssh -Q cipher . +.Pp +The default value is +.Qq aes256-ctr . ?.El ?.Sh MODULI GENERATION ?.Nm -- 2.17.1