I don't know whether this applies to OpenBSD, because this blog post explained things using openssh-portable as an example.
Title is also slightly clickbait-ish.
Quote:
You can tell it’s encrypted because it says so right there. It also doesn’t start with MII – the base64 DER clue that an RSA key follows. And AES! That’s good, right? CBC with ostensibly a random IV, even! No MAC, but without something like a padding oracle to try modified ciphertexts on, so that might be OK?
It’s tricky to find out what this DEK-Info stuff means. Searching the openssh-portable repo for the string DEK-Info only shows sample keys. The punchline is that the AES key is just MD5(password || IV[:8]).
|
https://latacora.singles/2018/08/03/...t-openssh.html
I always used KeePass/KeePassX to generate unique passwords and manage passwords to private SSH key files.