• Also known as
  • Privacy Enhanced Mail

PEM is the abbre­vi­a­tion for Pri­vacy Enhanced Mail and describes a text-based for­mat for cryp­to­graphic keys, cer­tifi­cates, cer­tifi­cate sign­ing requests, and other data used in a pub­lic key infra­struc­ture.

The PEM for­mat is designed to be safe for inclu­sion in plain text doc­u­ments as emails, that are using ASCII or any other ASCII based char­ac­ter encod­ing such as Uni­code.

Most cryp­to­graphic stan­dards use the binary DER for­mat for stor­ing struc­tured data like key cer­tifi­cates. Binary data how­ever is harder to inte­grate in plain text mes­sages or stor­age for­mats. The PEM for­mat is address­ing this issue by using Base64 encod­ing to embed the binary data to the text. Very dis­tinct BEGIN and END head­ers allow to eas­ily deter­mine PEM encoded infor­ma­tion.

When open­ing PEM for­mat­ted data in a text edi­tor, you will see some­thing sim­i­lar to this:

-----BEGIN [TYPE]-----
MIIFfTC­CA2W­gAw­IBAg­I­JA­JvQ6o­qE­Q7saMA0GC­SqGSI­b3DQE­BCwUAM­FUx­CzA­JBgNV
BAY­TAkhLM­RAwDgY­D­VQQI­DAd­DZW50cmF­sM­Row­GAY­D­VQQKDBFT­SE9S­RUx­FU1MgT­Glt
aXR­lZDEYM­BY­GA1UEAww­Pd3d3LmV4Y­W1w­bGU­uY29tM­B4XDTE4MD­kyMzA­wMT­MzM­FoX
[...]
kj3­WOD­WSXcN+KMb­NC­c­jat­fRTES­Fg­B2jDt1/ts83Alb/SgvFVRzheW5vQIO­QWwvMF
81G­W­piEM5­TuLE/z02xS­mm­SzD­sl6ubaQEOup328p702urL­h­H45X­uX­E1e­JWib9F5PB
rMgEDT2vq5YUt­PUPZHth­ne0=
-----END [TYPE]-----

Depend­ing on the encoded data, the above [TYPE] may be PRIVATE KEY, CERTIFICATE, CERTIFICATE REQUEST and alike.

Var­i­ous file suf­fixes are used for PEM files. The most com­mon ones are .key, .cert, .crt, .csr, .ca-bundle, or just .pem.

A sin­gle PEM file may con­tain mul­ti­ple cer­tifi­cates. For exam­ple, a cer­tifi­cate author­ity bun­dle (CA bun­dle) usu­ally is a chain of inter­me­di­ate cer­tifi­cates up to the root cer­tifi­cate of the cer­tifi­cate author­ity (CA). Open­ing such a file in a text edi­tor may show sev­eral

-----BEGIN CER­TIFI­CATE-----
[...]
-----END CER­TIFI­CATE-----
-----BEGIN CER­TIFI­CATE-----
[...]
-----END CER­TIFI­CATE-----

blocks copied after each other.