What Is PKCS#8?

Cryptography Tutorials - Herong's Tutorial Examples

∟Migrating Keys from "OpenSSL" Key Files to "keystore"

∟What Is PKCS#8?

This section describes what is PKCS#8 - One of the PKCS (Public Key Cryptography Standards) used to store a single private key. A PKCS#8 file can be encrypted with a password to protect the private key.

PKCS#8 is one of the PKCS (Public Key Cryptography Standards) devised and published by RSA Security. PKCS#8 is designed as the Private-Key Information Syntax Standard. It is used to store private keys.

PKCS#8 standard actually has two versions: non-encrypted and encrypted.

The non-encrypted PKCS#8 version defines the following syntax for a private key:

PrivateKeyInfo ::= SEQUENCE {
  version Version,

  privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
  privateKey PrivateKey,
  attributes [0] IMPLICIT Attributes OPTIONAL }

Version ::= INTEGER

PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier

PrivateKey ::= OCTET STRING

Attributes ::= SET OF Attribute

The encrypted PKCS#8 version defines the following syntax:

EncryptedPrivateKeyInfo ::= SEQUENCE {
  encryptionAlgorithm EncryptionAlgorithmIdentifier,
  encryptedData EncryptedData }

EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier

EncryptedData ::= OCTET STRING

Java SE "keytool" does not support exporting private keys in PKCS#8 format directly. But you can use my "DumpKey.java" to do this as described in another chapter of this book.

"OpenSSL" does not support exporting private keys in PKCS#8 format directly. It writes private keys in its own format referred as a private key traditional format. But it offers the "openssl pkcs8" command to convert private keys files from traditional format to pkcs#8 back and forth.

When writing a private key in PKCS#8 format in a file, it needs to stored in either DER encoding or PEM encoding. DER and PEM encodings are describes in other chapters in this book.