SignDoc SDK (C)  5.0.0
Encryption of biometric data

It is essential to encrypt biometric data asymmetrically and to keep the private key secret. That is, you should use be_rsa for integer parameter BiometricEncryption. To create the RSA key pair, you can use either KeyTool (which will use a proprietary file format for encrypted private keys, see KeyTool.txt) or any tool that creates an RSA key pair and uses PKCS #1 format (DER or PEM) for the public key and PKCS #12 format for the private key. Alternatively, the public key can also be specified as X.509 certificate (DER or PEM).

For instance, you can create a key pair using OpenSSL this way:

openssl genpkey -algorithm RSA -out private.pem -pkeyopt rsa_keygen_bits:2048 -aes-256-cbc
openssl pkey -in private.pem -outform der -pubout -out public.der
openssl pkcs12 -export -inkey private.pem -nocerts -out private.der

The export password must be non-empty. The public key will be written to public.der, the private key will be written to private.der, the file private.pem can be deleted.