=head1 SYNOPSIS
B<openssl> B<pkcs8>
+[B<-help>]
[B<-topk8>]
[B<-inform PEM|DER>]
[B<-outform PEM|DER>]
[B<-passin arg>]
[B<-out filename>]
[B<-passout arg>]
+[B<-iter count>]
[B<-noiter>]
[B<-nocrypt>]
[B<-nooct>]
[B<-v2prf alg>]
[B<-v1 alg>]
[B<-engine id>]
+[B<-scrypt>]
+[B<-scrypt_N N>]
+[B<-scrypt_r r>]
+[B<-scrypt_p p>]
=head1 DESCRIPTION
=over 4
+=item B<-help>
+
+Print out a usage message.
+
=item B<-topk8>
Normally a PKCS#8 private key is expected on input and a traditional format
=item B<-passin arg>
the input file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-out filename>
=item B<-passout arg>
the output file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+
+=item B<-iter count>
+
+When creating new PKCS#8 containers, use a given number of iterations on
+the password in deriving the encryption key for the PKCS#8 output.
+High values increase the time required to brute-force a PKCS#8 container.
=item B<-nocrypt>
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
+=item B<-scrypt>
+
+uses the B<scrypt> algorithm for private key encryption using default
+parameters: currently N=1024, r=8 and p=16 and AES in CBC mode with a 256 bit
+key. These parameters can be modified using the B<-scrypt_N>, B<-scrypt_r>,
+B<-scrypt_p> and B<-v2> options.
+
+B<-scrypt_N N> B<-scrypt_r r> B<-scrypt_p p>
+
+sets the scrypt B<N>, B<r> or B<p> parameters.
+
=back
=head1 NOTES
Convert a private key from any PKCS#8 format to traditional format:
openssl pkcs8 -in pk8.pem -out key.pem
+
+Convert a private key to PKCS#8 format, encrypting with AES-256 and with
+one million iterations of the password:
+
+ openssl pkcs8 -in raw.pem -topk8 -v2 aes-256-cbc -iter 1000000 -out pk8.pem
=head1 STANDARDS
=head1 SEE ALSO
-L<dsa(1)|dsa(1)>, L<rsa(1)|rsa(1)>, L<genrsa(1)|genrsa(1)>,
-L<gendsa(1)|gendsa(1)>
+L<dsa(1)>, L<rsa(1)>, L<genrsa(1)>,
+L<gendsa(1)>
+
+=head1 HISTORY
+
+The B<-iter> option was added to OpenSSL 1.1.0.
=cut