PKCS8 is the eighth of the Public-Key Cryptography Standards (PKCS) and is a syntax for storing private key material. The private keys may be encrypted with a symmetric key algorithm. If the usage of your key requires it to be in plain text, make sure it is stored in a secured location. If at all possible, keep the PKCS8 formatted private key encrypted.
PKCS8 Example
The header and footer of the PKCS8 syntax is the following:
—–BEGIN PRIVATE KEY—–
—–END PRIVATE KEY—–
…and if the PKCS #8 formatted private key is encrypted, the header and footer is the following:
—–BEGIN ENCRYPTED PRIVATE KEY—–
—–END ENCRYPTED PRIVATE KEY—–
This format is pem formatted.
Difference between PKCS8 and PKCS1
- PKCS #8 is a private key syntax for all algorithms and not just RSA. PKCS1 is primarily for using the RSA algorithm.
- PKCS #8 also uses ASN.1 which identifies the algorithm in its structure.
- Over time, while PKCS1 is still valid, PKCS #8 has become the standard syntax for storing private key information.
Some applications may even load private key information from a private key entry in a PKCS12 formatted keystore which is also common. But, many languages expect a single file and not a keystore, which makes PKCS #8 a suitable syntax.
Difference between pkcs8 vs pkcs12
These are two different specs, and pkcs12 is meant to bundle a key pair with a certificate and not to store a single pkcs 8 private key. While a pkcs12 formatted keystore is password protected, so should the stand-alone PKCS#8 private key if at all possible. This also goes for a PKCS#1 private key. Both private key formats should have a symmetric key encrypting them at rest.
Create private Key with openssl pkcs8 Command
The openssl pkcs8 command can be used for processing asymmetric private keys in various encryption algorithms in PKCS #8 format. These openssl pkcs8 commands can process both encrypted and plain text private keys. Note that the file extension is not special and is routinely just .pem.
To generate a private key with openssl use the openssl -genpkey command.
To convert a private key to pkcs8, run the following command:
- openssl pkcs8 -in key.pem -topk8 -out pk8key.pem
Where -in key.pem is the private key to be converted to PKCS #8, -topk8 means to convert, and -out pk8key.pem will be the PKCS #8 formatted key.
To convert to PKCS8 in a plain text state, just add the -nocrypt option to the command:
- openssl pkcs8 -in key.pem -topk8 -nocrypt -out pk8key.pem
To convert PKCS8 to PKCS1, run the following command:
- openssl pkcs8 -in pk8key.pem -traditional -nocrypt -out key.pem
Where -in pk8key.pem is the PKCS #8 formatted private key, -traditional means to convert to the traditional PKCS1 format, -nocrypt means the key is not encrypted, and -out key.pem is the file holding the PKCS1 traditional private key.
See RFC 3447 for details on the PKCS1 standard.
See RFC 5208 for details on the PKCS#8 standard.