Added documentation for -iter for PKCS#8

2014-06-03 15:24:49 -07:00
parent 8a6c6bbf21
commit 96fc4b7250
1 changed files with 12 additions and 0 deletions
--- a/doc/apps/pkcs8.pod
+++ b/doc/apps/pkcs8.pod
@@ -14,6 +14,7 @@ B<openssl> B<pkcs8>
 [B<-passin arg>]
 [B<-out filename>]
 [B<-passout arg>]
+[B<-iter count>]
 [B<-noiter>]
 [B<-nocrypt>]
 [B<-nooct>]
@@ -76,6 +77,12 @@ filename.
 the output file password source. For more information about the format of B<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.

+=item B<-iter count>
+
+When creating new PKCS#8 containers, use a given number of iterations on the password
+in deriving the encryption key for the PKCS#8 output. High values increase the time
+required to brute-force a PKCS#8 container.
+
 =item B<-nocrypt>

 PKCS#8 keys generated or input are normally PKCS#8 EncryptedPrivateKeyInfo
@@ -225,6 +232,11 @@ Convert a private key from any PKCS#8 format to traditional format:

 openssl pkcs8 -in pk8.pem -out key.pem
 
+Convert a private key to PKCS#8 format, encrypting with AES-256 and with 
+one million iterations of the password:
+
+ openssl pkcs8 -in raw.pem -topk8 -v2 aes-256-cbc -iter 1000000 -out pk8.pem
+
 =head1 STANDARDS

 Test vectors from this PKCS#5 v2.0 implementation were posted to the