Analogous function to mbedtls_pk_parse_key (write an encrypted string)

So following function parses an (un)encrypted DER-encoded private key and fills the pk_context accordingly:

int mbedtls_pk_parse_key( mbedtls_pk_context *pk,
const unsigned char *key, size_t keylen,
const unsigned char *pwd, size_t pwdlen )

Does mbedtls provide a function that works analogously to this one … meaning that it has a pk_context and can store it (encrypted) to a buffer. I’ve only seen mbedtls_pk_write_key_pem, which however does not take encryption into account.

Unfortunately, Mbed TLS does not have an API for writing encrypted key, as it wasn’t part of our original target.
If you believe this feature is required,you are welcome to make a contribution.
Mbed TLS Team member

Hmm… I wouldn’t store a private key unencrypted.
It looks like me and @TrinityTonic are in a minority here.

Is it enough for two people needing this feature to have it implemented?

@TrinityTonic: Did you end up writing any code for this you wont mind sharing?

Hi @elang
I agree that a private key should be stored in a secure place, depending on the threat model.
If your application runs in a secure element, for example, no need ofr it to be encrypted, nor if you store the key in a secure storage.
I agree this feature is needed, and as an open source library, we welcome contributions.

Hi Eric, Ron,
sorry for the late reply. But to provide some later answers

  1. We still need the functionality to be able to store an asymmetric key in an encrypted way. A use-case for us would be that we have a small space where we can securely store a symmetric key which we want to use as a key encryption key for all our asymmetric keys that could be just stored in flash using this functionality.
  2. We haven’t implemented this functionality yet.

Any updates from your side? This requirement is still required by us. We don’t have a secure key storage but we have a symmetric key we can securely use to encrypt an unlimited number of asymmetric keys. Once when keys are deployed into our device we’ll use our symmetric key to encrypt all asymmetric keys.

  • mbedtls_pk_parse_key function fullfills our requirements of being able to parse an encrypted key (PKCS#8 + PKCS#5)

  • mbedtls_pk_write_key_encrypted is what we would need. Looking at the code base many of the required building blocks are there. Is there a chance this could be integrated in the future? We wouldn’t need to support all the available ciphers at the moment but the commonly used ones whould suffice first.

IMO the feature should be mandatory for a TLS library that allows generation, creation and storing keys, don’t you think?

Hi @TrinityTonic
Does this PR address your question?
Although it doesn’t address encrypted keys, it can be modified to support encrpytion, if there would be demand


Hi @roneld01, when shortly scrolling through the the PR you mentioned, It doesn’t seem to take writing encrypted keys into account. But if it’s a PR for PKCS#8, adding the encryption feature in that PR could make sense.


Hi @TrinityTonic
Yes, this PR doesn’t include encrypted keys, but it was one of the comments .
Note this PR is quite old and would probably need reworking.
If you would like this PR to go back to focus, I would suggest you ping on this PR.
Note, that as mentioned here, Mbed TLS is now maintained under open governance at

By pinging, you just mean writing a comment under it with my feature request for that pr?

Yes, sorry for confusion

ok, that’s what I have done. Thanks

But as I see, the feature requests haven’t been taken into account yet right?

But as I see, the feature requests haven’t been taken into account yet right?

Probably, but it could assist in prioritizations