Glossary term descrip­tion
  • Also known as
  • Privacy Enhanced Mail

PEM is the abbre­vi­a­tion for Pri­vacy Enhanced Mail and describes a text-based for­mat for cryp­to­graphic keys, cer­tifi­cates, cer­tifi­cate sign­ing requests, and other data used in a pub­lic key infra­struc­ture .

The PEM for­mat is designed to be safe for inclu­sion in plain text doc­u­ments as emails, that are using ASCII or any other ASCII based char­ac­ter encod­ing such as Uni­code.

Most cryp­to­graphic stan­dards use the binary DER for­mat for stor­ing struc­tured data like key cer­tifi­cates. Binary data how­ever is harder to inte­grate in plain text mes­sages or stor­age for­mats. The PEM for­mat is address­ing this issue by using Base64 encod­ing to embed the binary data to the text. Very dis­tinct BEGIN and END head­ers allow to eas­ily deter­mine PEM encoded infor­ma­tion.

When open­ing PEM for­mat­ted data in a text edi­tor, you will see some­thing sim­i­lar to this:

-----BEGIN [TYPE]-----
-----END [TYPE]-----

Depend­ing on the encoded data, the above [TYPE] may be PRIVATE KEY, CERTIFICATE, CERTIFICATE REQUEST and alike.

Var­i­ous file suf­fixes are used for PEM files. The most com­mon ones are .key, .cert, .crt, .csr, .ca-bundle, or just .pem.

A sin­gle PEM file may con­tain mul­ti­ple cer­tifi­cates. For exam­ple, a cer­tifi­cate author­ity bun­dle (CA bun­dle) usu­ally is a chain of inter­me­di­ate cer­tifi­cates up to the root cer­tifi­cate of the cer­tifi­cate author­ity (CA). Open­ing such a file in a text edi­tor may show sev­eral


blocks copied after each other.