SignDoc SDK (.NET with exceptions)  5.0.0
Encryption of biometric data

It is essential to encrypt biometric data asymmetrically and to keep the private key secret. That is, you should use be_rsa for integer parameter BiometricEncryption. To create the RSA key pair, you can use either KeyTool (which will use a proprietary file format for encrypted private keys, see KeyTool.txt) or any tool that creates an RSA key pair and uses PKCS #1 format (DER or PEM) for the public key and PKCS #12 format for the private key. Alternatively, the public key can also be specified as X.509 certificate (DER or PEM).

For instance, you can create a key pair using OpenSSL this way:

openssl genpkey -algorithm RSA -out private.pem -pkeyopt rsa_keygen_bits:2048 -aes-256-cbc
openssl pkey -in private.pem -outform der -pubout -out public.der
openssl pkcs12 -export -inkey private.pem -nocerts -out private.der

The export password must be non-empty. The public key will be written to public.der, the private key will be written to private.der, the file private.pem can be deleted.