pkeyutl.1s

openssl pkeyutl [-help] [-in filename] [-out filename] [-sigfile filename] [-inkey filename] [-passin arg] [-keyform arg] [-pubin] [-certin] [-pkcs8] [-topk8] [-noout] [-engine id] [-rand files] [-writerand file] [-provider name] [-provider-path path] [-propquery propq] [-encrypt] [-decrypt] [-sign] [-verify] [-verifyrecover] [-derive] [-shared_secret] [-pkeyopt parameter:value] [-rev] [-asn1parse] [-hexdump]

-help
    Display a brief summary of command options.

-in filename
    Input file containing the data to be processed.

-out filename
    Output file to write the processed data.

-sigfile filename
    Signature file for verification.

-inkey filename
    Input file containing the private key.

-passin arg
    Input password source.

-keyform arg
    Private key format (PEM, DER, etc.).

-pubin
    Input file contains a public key, not a private key.

-certin
    Input file contains a certificate.

-pkcs8
    The input is in PKCS#8 format.

-topk8
    The input is converted to PKCS#8 format.

-noout
    No output is produced.

-engine id
    Specifies the engine to use.

-rand files
    Specifies one or more source(s) of random bytes.

-writerand file
    Writes random data to a file.

-provider name
    The provider to load.

-provider-path path
    A path to search for providers.

-propquery propq
    A property query string.

-encrypt
    Encrypt the input data.

-decrypt
    Decrypt the input data.

-sign
    Sign the input data.

-verify
    Verify the signature of the input data.

-verifyrecover
    Verify and recover the original data.

-derive
    Perform key derivation.

-shared_secret
    Output the shared secret.

-pkeyopt parameter:value
    Set public key algorithm options.

-rev
    Reverse the input data.

-asn1parse
    Parse input ASN.1 data and print a human readable form.

-hexdump
    Hex dump the output data.

The pkeyutl command is a versatile utility within the OpenSSL toolkit that performs a variety of public key operations.

It allows you to perform various operations using public and private keys, such as encryption, decryption, signing, verification, key derivation, and more. pkeyutl is particularly useful for testing cryptographic algorithms, experimenting with different key parameters, and performing specific low-level operations. It provides a command-line interface to access and manipulate cryptographic keys in different formats. By using options, you can specify the input key, the operation to perform, and the output format.

The command can be used with both RSA and ECC keys and it provides fine-grained control over the cryptographic processes. Due to its complexity, its direct use in production system is less common than higher-level wrappers or dedicated cryptographic libraries.

Using pkeyutl requires a good understanding of cryptographic algorithms and key formats. Incorrect usage can lead to security vulnerabilities. Be sure to understand the parameters you're setting.

Encrypting data:
openssl pkeyutl -encrypt -in data.txt -inkey pubkey.pem -pubin -out enc.txt

Decrypting data:
openssl pkeyutl -decrypt -in enc.txt -inkey privkey.pem -out data.txt

Signing data:
openssl pkeyutl -sign -in data.txt -inkey privkey.pem -out sig.txt

Verifying data:
openssl pkeyutl -verify -in data.txt -sigfile sig.txt -inkey pubkey.pem -pubin

openssl(1), rsa(1), ec(1)