🔏 RSA Key Inspector

Runs entirely in your browser - no data sent to server

Input

Output

Output appears here...

Complete Guide

📊 Key Data Points

PKCS#1 vs PKCS#8

-----BEGIN RSA PRIVATE KEY----- is PKCS#1. -----BEGIN PRIVATE KEY----- is PKCS#8 (algorithm-agnostic)

2048-bit minimum

2048-bit RSA is considered secure — use 3072 or 4096 for extra margin, or switch to ECDSA for equivalent security with smaller keys

Never paste private keys

Even though this tool is browser-based, the general security rule is to never paste production private keys into any online tool

RSA Key Info — PEM Key Decoder -- Complete USA Guide 2026

RSA key issues are a common source of authentication failures — wrong key format (PKCS#1 vs PKCS#8), insufficient key size, or using the wrong algorithm for the use case. Inspecting a PEM-encoded key gives you the algorithm, key size, and format information needed to diagnose these issues.

This tool parses PEM keys entirely in your browser — your private keys are never transmitted anywhere.

**Long-tail searches answered here:** rsa key info online free, rsa public key decoder browser tool, pem key info analyzer online free.

For key-adjacent tools, pair with JWT Decoder and Hash Generator.

🔬 How This Calculator Works

Parses PEM-encoded RSA public and private keys and shows: key type, bit length, modulus (n), public exponent (e), and for private keys — the PKCS#1 or PKCS#8 format. Identifies the key algorithm (RSA, EC/ECDSA, Ed25519) from the PEM headers. Validates the PEM structure without transmitting the key data — all parsing runs in the browser.

✅ What You Can Calculate

Key type detection

Identifies the key algorithm from PEM headers: RSA (-----BEGIN RSA PRIVATE KEY-----), ECDSA (-----BEGIN EC PRIVATE KEY-----), Ed25519 (-----BEGIN PRIVATE KEY-----).

Key size display

Shows the key bit length (2048, 3072, 4096 for RSA; 256, 384 for ECDSA) — the primary security parameter for asymmetric keys.

PKCS#1 vs PKCS#8 identification

Identifies whether a key is in PKCS#1 format (RSA-specific, -----BEGIN RSA...) or PKCS#8 format (algorithm-agnostic, -----BEGIN PRIVATE KEY-----).

PEM structure validation

Validates the base64 encoding and PEM header/footer structure without sending the key to any server.

🎯 Real Scenarios & Use Cases

Identifying key format for compatibility

Many tools require PKCS#8 while others require PKCS#1. Identify which format you have here before converting with openssl pkcs8.

Verifying key size before deployment

Verify that your SSL/TLS certificate key is the correct size (2048 or 4096 bits) before generating a CSR.

Debugging JWT signing issues

JWT libraries require keys in specific formats. Identify the format of your key here to select the correct library import method.

SSH key type verification

Verify the algorithm and bit size of your SSH keys before adding them to authorized_keys or a cloud provider.

💡 Pro Tips for Accurate Results

NEVER paste production private keys online. This tool processes keys entirely in your browser — but as a general rule, private keys should never be pasted into any online tool. Use for inspecting public keys and checking key format.

2048 vs 4096 bit. 2048-bit RSA is considered secure through 2030+. 4096-bit offers extra margin but is 4x slower. For new keys, use 3072-bit or switch to ECDSA (P-256 or Ed25519) for equivalent security at smaller key sizes.

PKCS#1 vs PKCS#8. -----BEGIN RSA PRIVATE KEY----- is PKCS#1. -----BEGIN PRIVATE KEY----- is PKCS#8. Many tools require PKCS#8 — convert with openssl pkcs8 -topk8.

EC keys are much smaller. A 256-bit ECDSA key (P-256) provides equivalent security to a 3072-bit RSA key. For new applications, prefer ECDSA or Ed25519 over RSA.

🔗 Use These Together

Hash Generator→Password Generator→JWT Decoder→Base64 Encoder→chmod Calculator→Env File Parser→String Inspector→URL Encoder→

🏁 Bottom Line

RSA key inspection tells you whether a key is the right size, format, and algorithm before you try to use it in an application. For key-adjacent tools: JWT Decoder for token signing info and Hash Generator for key fingerprints.

What information can I extract from an RSA public key?

An RSA public key contains two values: the modulus (n) — a large number that is the product of two secret primes; and the public exponent (e) — almost always 65537 (0x10001). The key size (1024, 2048, 4096 bits) is determined by the bit length of the modulus. This tool parses PEM-format keys (the -----BEGIN PUBLIC KEY----- block) and displays: key size in bits, public exponent, modulus in hex, and algorithm (RSA, RSA-PSS). You cannot derive the private key from a public key — that is the foundation of RSA security.

What RSA key size should I use in 2026?

NIST recommendation: 2048-bit minimum for general use, 3072-bit for data that must remain secure past 2030, 4096-bit for highest assurance. 1024-bit RSA is considered broken and must not be used — factoring attacks make it feasible to recover the private key. 2048-bit RSA provides approximately 112 bits of security (equivalent to AES-112). 4096-bit provides ~140 bits. For most applications: 2048-bit RSA or EC alternatives (ECDSA P-256, Ed25519) which provide equivalent security with much shorter keys and faster operations.

What is the difference between RSA-PKCS1 and RSA-PSS?

RSA-PKCS1 v1.5 is the older signature scheme — still widely used but has known vulnerabilities (Bleichenbacher's attack, padding oracle attacks). RSA-PSS (Probabilistic Signature Scheme) is the modern replacement recommended by NIST — it is probabilistic (signing the same message twice gives different signatures) and provably secure under standard cryptographic assumptions. For new systems: always use RSA-PSS over PKCS1 v1.5. TLS 1.3 requires RSA-PSS. For encryption, RSA-OAEP over RSA-PKCS1 v1.5 for the same reasons.

What is a PEM file and how do I read it?

PEM (Privacy Enhanced Mail) is a Base64-encoded format for cryptographic keys and certificates, wrapped in -----BEGIN TYPE----- and -----END TYPE----- headers. Common types: PRIVATE KEY (PKCS#8 unencrypted private key), RSA PRIVATE KEY (PKCS#1 format), PUBLIC KEY (PKCS#8 public key), CERTIFICATE (X.509 certificate), CERTIFICATE REQUEST (CSR). The content between the headers is Base64-encoded DER (Distinguished Encoding Rules) binary format. This tool parses the PEM, decodes the Base64, parses the DER structure, and displays the human-readable fields.

How do I generate an RSA key pair on the command line?

OpenSSL: openssl genrsa -out private.pem 2048 generates a 2048-bit private key. openssl rsa -in private.pem -pubout -out public.pem extracts the public key. For PKCS#8 format (recommended): openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out private.pem. In Node.js: const { generateKeyPairSync } = require('crypto'); generateKeyPairSync('rsa', { modulusLength: 2048 }). In Python: from cryptography.hazmat.primitives.asymmetric import rsa; rsa.generate_private_key(public_exponent=65537, key_size=2048).

Is it safe to paste private keys into this tool?

This tool runs entirely in your browser — no data is transmitted to any server. You can verify this by opening DevTools > Network while using the tool and observing zero outbound requests. That said, you should treat private key paste operations with caution regardless of the tool: ensure you are on the correct site URL, not a phishing imitation; consider using only the public key for inspection when private key details are not needed; and after inspection, ensure the private key is not left in browser history or clipboard longer than necessary.

What other security and encoding tools are on this site?

The Hash Generator produces SHA-256 and other cryptographic hashes. The Password Generator creates cryptographically secure random strings for use as secrets. The JWT Decoder inspects tokens that are often signed with RSA keys. The Base64 Encoder decodes PEM file content manually. All are in the Dev Tools section.