PEM Format
What is PEM Format?
PEM FormatA textual encoding for cryptographic objects (keys, certificates, CRLs) defined by RFC 7468 that wraps Base64-encoded DER in BEGIN and END header lines.
PEM stands for Privacy-Enhanced Mail, the obsolete email standard from RFC 1421 that introduced the encoding. RFC 7468 formalises the textual format that is now ubiquitous in PKI: a header line such as -----BEGIN CERTIFICATE-----, Base64-encoded DER bytes broken into 64-character lines, and a matching -----END CERTIFICATE----- line. Common label values include CERTIFICATE, PRIVATE KEY, ENCRYPTED PRIVATE KEY, RSA PRIVATE KEY, EC PRIVATE KEY, CERTIFICATE REQUEST and X509 CRL. PEM files are ASCII-safe, can be concatenated to form chains, and are accepted by OpenSSL, BoringSSL, Java keytool, and most TLS libraries. The actual cryptographic structure is still ASN.1/DER inside; PEM is only the armouring layer.
● Examples
- 01
A certificate chain stored as cert.pem with multiple -----BEGIN CERTIFICATE----- blocks concatenated.
- 02
An OpenSSH private key saved with the -----BEGIN OPENSSH PRIVATE KEY----- header.
● Frequently asked questions
What is PEM Format?
A textual encoding for cryptographic objects (keys, certificates, CRLs) defined by RFC 7468 that wraps Base64-encoded DER in BEGIN and END header lines. It belongs to the Cryptography category of cybersecurity.
What does PEM Format mean?
A textual encoding for cryptographic objects (keys, certificates, CRLs) defined by RFC 7468 that wraps Base64-encoded DER in BEGIN and END header lines.
How does PEM Format work?
PEM stands for Privacy-Enhanced Mail, the obsolete email standard from RFC 1421 that introduced the encoding. RFC 7468 formalises the textual format that is now ubiquitous in PKI: a header line such as -----BEGIN CERTIFICATE-----, Base64-encoded DER bytes broken into 64-character lines, and a matching -----END CERTIFICATE----- line. Common label values include CERTIFICATE, PRIVATE KEY, ENCRYPTED PRIVATE KEY, RSA PRIVATE KEY, EC PRIVATE KEY, CERTIFICATE REQUEST and X509 CRL. PEM files are ASCII-safe, can be concatenated to form chains, and are accepted by OpenSSL, BoringSSL, Java keytool, and most TLS libraries. The actual cryptographic structure is still ASN.1/DER inside; PEM is only the armouring layer.
How do you defend against PEM Format?
Defences for PEM Format typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for PEM Format?
Common alternative names include: Privacy-Enhanced Mail, Base64 DER.
● Related terms
- cryptography№ 065
ASN.1
Abstract Syntax Notation One: an ITU-T standard (X.680 series) that describes data structures used in cryptography and telecoms in a language-independent way.
- cryptography№ 831
PKCS#7
A binary format for packaging signed and/or encrypted data, standardised by the IETF as Cryptographic Message Syntax (CMS) in RFC 5652.
- cryptography№ 830
PKCS#12
A password-protected file format (.pfx / .p12) that bundles a private key with its certificate chain, standardised by RFC 7292.