PKCS8 is the eighth of the Public-Key Cryptography Standards (PKCS) and is a syntax for storing private key material. The private keys may be encrypted with a symmetric key algorithm. If the usage of your key requires it to be in plain text, make sure it is stored in a secured location. If at all possible, keep the PKCS8 formatted private key encrypted.
The header and footer of the PKCS8 syntax is the following:
-----BEGIN PRIVATE KEY----- -----END PRIVATE KEY-----
…and if the PKCS #8 formatted private key is encrypted, the header and footer is the following:
-----BEGIN ENCRYPTED PRIVATE KEY----- -----END ENCRYPTED PRIVATE KEY-----
This format is pem formatted.
PKCS8 vs PKCS1 (PKCS1 vs PKCS8)
PKCS #8 is a private key syntax for all algorithms and not just RSA. On the other hand, PKCS1 is primarily for using the RSA algorithm. PKCS #8 also uses ASN.1 which identifies the algorithm in its structure. Over time, while PKCS1 is still valid, PKCS #8 has become the standard syntax for storing private key information. Some applications may even load private key information from a private key entry in a PKCS12 formatted keystore which is also common. But, many languages expect a single file and not a keystore, which makes PKCS #8 a suitable syntax.
pkcs 8 vs pkcs12.
These are two different specs, and pkcs12 is meant to bundle a key pair with a certificate and not to store a single pkcs 8 private key. While a pkcs12 formatted keystore is password protected, so should the stand alone PKCS#8 private key if at all possible. This also goes for a PKCS#1 private key. Both private key formats should have a symmetric key encrypting them at rest.
The openssl pkcs8 command can be used for processing asymmetric private keys in various encryption algorithms in PKCS #8 format. These openssl pkcs8 commands can process both encrypted and plain text private keys. Note that the file extension is not special and is routinely just .pem.
To generate a private key with openssl use the openssl -genpkey command.
To convert a private key to pkcs8, run the following command:
openssl pkcs8 -in key.pem -topk8 -out pk8key.pem
-in key.pem is the private key to be converted to PKCS #8,
-topk8 means to convert, and
-out pk8key.pem will be the PKCS #8 formatted key.
To convert to PKCS8 in a plain text state, just add the
-nocrypt option to the command:
openssl pkcs8 -in key.pem -topk8 -nocrypt -out pk8key.pem
To convert PKCS8 to PKCS1, run the following command:
openssl pkcs8 -in pk8key.pem -traditional -nocrypt -out key.pem
-in pk8key.pem is the PKCS #8 formatted private key,
-traditional means to convert to the traditional PKCS1 format,
-nocrypt means the key is not encrypted, and
-out key.pem is the file holding the PKCS1 traditional private key.
See RFC 3447 for details on the PKCS1 standard.
See RFC 5208 for details on the PKCS #8 standard.
Let us know in the comments if you would like to see more examples of commands processing PKCS #8 formatted private keys or conversions to other key formats. Head over to our OpenSSL page for more common commands.