RSA Key Pair Generation Guide: Public-Key Encryption and Private-Key Signing
What Is an RSA Key Pair
RSA is an asymmetric encryption algorithm that uses a pair of keys:
| Key | Purpose | Distribution |
|---|---|---|
| Public Key | Encrypt / Verify signature | Can be shared openly |
| Private Key | Decrypt / Sign | Keep to yourself only |
Core principle: Data encrypted with the public key can only be decrypted with the private key; signatures made with the private key can be verified with the public key.
Key Length Selection
| Length | Security Level | Use Case |
|---|---|---|
| 1024-bit | ❌ Insecure | Legacy systems |
| 2048-bit | ✅ Baseline secure | Everyday use |
| 3072-bit | ✅ Higher security | Moderately sensitive data |
| 4096-bit | ✅ High security | Highly sensitive data / long-term keys |
Generating a 4096-bit key takes 4-8× longer than 2048-bit. Encryption/decryption is also slower. Choose based on your needs.
Generating a Key Pair: Step by Step
Step 1: Open the RSA Key Pair Tool
Visit the RSA Key Pair tool and select a key length (2048 or 4096 recommended).
Step 2: Generate the Key Pair
Click "Generate Key Pair". The tool automatically produces:
- Public key: PEM-formatted text starting with
-----BEGIN PUBLIC KEY----- - Private key: PEM-formatted text starting with
-----BEGIN PRIVATE KEY-----
Step 3: Save the Keys
Public key → Send to anyone who needs to encrypt data for you
Private key → Store securely, never leak (don't commit to Git!)
PEM Format Explained
PEM is a Base64-encoded key text. Common formats:
-----BEGIN PUBLIC KEY----- ← PKCS#8 public key
MIIBIjANBgkqhkiG9w0BAQEFAAOC...
-----END PUBLIC KEY-----
-----BEGIN RSA PRIVATE KEY----- ← PKCS#1 private key
MIIEpAIBAAKCAQEA0d7...
-----END RSA PRIVATE KEY-----
-----BEGIN PRIVATE KEY----- ← PKCS#8 private key
MIIEvgIBADANBgkqhkiG9w0BAQEF...
-----END PRIVATE KEY-----
PKCS#8 is the universal format; PKCS#1 is RSA-specific. Most modern systems prefer PKCS#8.
Public-Key Encrypt + Private-Key Decrypt
Using the RSA Encrypt/Decrypt tool:
- Paste plaintext into the input box
- Select "Public Key Encrypt"
- Paste the recipient's public key
- Click encrypt to get the ciphertext
- The recipient decrypts with their private key to recover the original
Private-Key Sign + Public-Key Verify
Signing proves "this message really came from me":
- In the RSA Encrypt/Decrypt tool, select "Private Key Sign"
- Enter the message and your private key
- Generate the signature value
- Others verify the signature with your public key, confirming the message wasn't tampered with
RSA vs AES: When to Use Which
| Scenario | Recommendation | Reason |
|---|---|---|
| Large file encryption | AES | RSA is too slow for bulk data |
| Key exchange | RSA | Encrypt the AES key with the public key |
| Digital signatures | RSA | Asymmetric nature is a natural fit |
| JWT tokens | RSA | Server signs with private key, clients verify with public key |
In practice, they're often combined: RSA transmits the AES key, AES encrypts the actual data (hybrid encryption).
Common Issues
| Issue | Cause | Solution |
|---|---|---|
| Decrypt failed | Key mismatch | Confirm the public and private keys are from the same pair |
| Data too long error | RSA has a length limit | Use AES instead or encrypt in segments |
| Format parse error | PEM headers missing | Check you copied the full key |
| Slow generation | 4096-bit key | Normal; try 2048-bit first |
Summary
RSA key pairs are the foundation of asymmetric encryption. Mastering public-key encryption and private-key signing, and understanding key length security implications, is essential for secure development. The RSA Key Pair tool and RSA Encrypt/Decrypt tool let you complete the entire workflow right in your browser.