PKCS8 is the eighth of the Public-Key Cryptography Standards (PKCS) and is a syntax for storing private key material. The private keys may be encrypted with a symmetric key algorithm.

The header and footer of the PKCS8 syntax is the following:

```
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
```

…and if the PKCS #8 formatted private key is encrypted, the header and footer is the following:

```
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
```

This format is pem formatted.

## PKCS8 vs PKCS1 (PKCS1 vs PKCS8)

PKCS #8 is a private key syntax for all algorithms and not just RSA. On the other hand, PKCS1 is primarily for using the RSA algorithm. PKCS #8 also uses ASN.1 which identifies the algorithm in its structure. Over time, while PKCS1 is still valid, PKCS #8 has become the standard syntax for storing private key information. Some applications may even load private key information from a private key entry in a PKCS12 formatted keystore which is also common. But, many languages expect a single file and not a keystore, which makes PKCS #8 a suitable syntax.

## pkcs 8 vs pkcs12.

These are two different specs, and pkcs12 is meant to bundle a key pair with a certificate and not to store a single pkcs 8 private key. While a pkcs12 formatted keystore is password protected, so should the stand alone PKCS#8 private key if at all possible. This also goes for a PKCS#1 private key. Both private key formats should have a symmetric key encrypting them at rest.

## openssl pkcs8

The **openssl pkcs8** command can be used for processing asymmetric private keys in various encryption algorithms in PKCS #8 format. These openssl pkcs8 commands can process both encrypted and plain text private keys. Note that the file extension is not special and is routinely just .pem.

To generate a private key with openssl use the openssl -genpkey command.

To convert a private key to pkcs8, run the following command:

**openssl pkcs8 -in key.pem -topk8 -out pk8key.pem**

Where `-in key.pem`

is the private key to be converted to PKCS #8, `-topk8`

means to convert, and `-out pk8key.pem`

will be the PKCS #8 formatted key.

To convert to PKCS8 in a plain text state, just add the `-nocrypt`

option to the command:

**openssl pkcs8 -in key.pem -topk8 -nocrypt -out pk8key.pem**

To convert PKCS8 to PKCS1, run the following command:

**openssl pkcs8 -in pk8key.pem -traditional -nocrypt -out key.pem**

Where `-in pk8key.pem`

is the PKCS #8 formatted private key, `-traditional`

means to convert to the tradition PKCS1 format, `-nocrypt`

means the key is not encrypted, and `-out key.pem`

is the file holding the PKCS1 traditional private key.

See RFC 3447 for details on the PKCS1 standard.

See RFC 5208 for details on the PKCS #8 standard.

Let us know in the comments if you would like to see more examples of commands processing PKCS #8 formatted private keys.

## Leave a Reply