--- title: PemPropertyFormat description: The format of a secret used with a mappings configuration in FileSystemSecretStore and SystemAndEnvSecretStore. Privacy-Enhanced Mail (PEM) is a file format for storing and sending cryptographic keys, certificates, and other data, based on standards in Textual Encodings of PKIX, PKCS, and CMS Structures. By default, OpenSSL generates keys using the PEM format. component: pinggateway version: 2026 page_id: pinggateway:reference:PemPropertyFormat canonical_url: https://docs.pingidentity.com/pinggateway/2026/reference/PemPropertyFormat.html revdate: 2025-07-07T16:48:22Z section_ids: PemPropertyFormat-usage: Usage PemPropertyFormat-properties: Properties PemPropertyFormat-example: Example PemPropertyFormat-moreinfo: More information --- # PemPropertyFormat The format of a secret used with a mappings configuration in FileSystemSecretStore and SystemAndEnvSecretStore. Privacy-Enhanced Mail (PEM) is a file format for storing and sending cryptographic keys, certificates, and other data, based on standards in [Textual Encodings of PKIX, PKCS, and CMS Structures](https://www.rfc-editor.org/rfc/rfc7468). By default, OpenSSL generates keys using the PEM format. Encryption methods and ciphers used for PEM encryption must be supported by the Java Cryptography Extension. PEM keys have the following format, where the PEM label is associated to the type of stored cryptographic material: ```none -----BEGIN {PEM label}----- Base64-encoded cryptographic material -----END {PEM label}----- ``` | PEM Label | Stored Cryptographic Material | | ----------------------- | ------------------------------------------ | | `CERTIFICATE` | X.509 Certificate | | `PUBLIC KEY` | X.509 SubjectPublicKeyInfo | | `PRIVATE KEY` | PKCS#8 Private Key | | `ENCRYPTED PRIVATE KEY` | Encrypted PKCS#8 Private Key | | `EC PRIVATE KEY` | EC Private Key | | `RSA PRIVATE KEY` | PKCS#1 RSA Private Key | | `RSA PUBLIC KEY` | PKCS#1 RSA Public Keys | | `DSA PRIVATE KEY` | PKCS#1-style DSA Private Key | | `HMAC SECRET KEY` | HMAC Secret Keys | | `AES SECRET KEY` | AES Secret Keys | | `GENERIC SECRET` | Generic Secrets (passwords, API keys, etc) | Note the following points about the key formats: * PKCS#1 is the standard that defines RSA. Learn more in [RFC 8017: RSA Public Key Syntax](https://www.rfc-editor.org/rfc/rfc8017#appendix-A.1.1). * PKCS#1-style DSA and EC keys aren't defined in any standard, but are adapted from the RSA format. * `HMAC SECRET KEY`, `AES SECRET KEY`, and `GENERIC SECRET` are a Ping Identity Platform extension and not currently supported by any other tools. The following example is non-standard PEM encoding of an HMAC symmetric secret key. The payload is base64-encoded random bytes that are the key material, with no extra encoding. ```none -----BEGIN HMAC SECRET KEY----- Pj/Vel...thB0U= -----END HMAC SECRET KEY----- ``` Run the following example command to create the key: ```bash cat <, "secretsProvider": SecretsProvider reference } } ``` ## Properties * `"decryptionSecretId"`: *configuration expression<[secret-id](preface.html#definition-secretid)>, optional* The secret ID for the secret to decrypt a PKCS#8 private key. This secret ID must point to a [GenericSecret](../security-guide/keys.html#secret-types). * `"secretsProvider"`: *SecretsProvider [reference](preface.html#definition-reference), required when `decryptionSecretId` is used* The [SecretsProvider](SecretsProvider.html) to query for the decryption secret. ## Example You can find examples of use in [Pass runtime data in a JWT signed with a PEM](../gateway-guide/data-downstream.html#runtime-signed-pem-example) and [Pass runtime data in a JWT signed and encrypted with a PEM](../gateway-guide/data-downstream.html#runtime-encrypted-pem-example). ## More information [org.forgerock.openig.secrets.PemPropertyFormatHeaplet](../_attachments/apidocs/org/forgerock/openig/secrets/PemPropertyFormatHeaplet.html)