=pod
{- OpenSSL::safe::output_do_not_edit_headers(); -}

=head1 NAME

openssl-skeyutl - opaque symmetric keys routines

=head1 SYNOPSIS

B<openssl> B<skeyutl>
[B<-help>]
[B<-cipher> I<cipher>]
[B<-skeymgmt> I<skeymgmt>]
[B<-skeyopt> I<opt>:I<value>]
[B<-genkey>]
{- $OpenSSL::safe::opt_provider_synopsis -}

=head1 DESCRIPTION

Not all cipher implementations support keys as raw bytes. E.g. PKCS#11 tokens
can store them internally without any option to get the raw byte representation.

This tool is designed for managing opaque symmetric keys.

=head1 OPTIONS

=over 4

=item B<-help>

Print out a usage message.

=item B<-cipher> I<cipher>

The cipher to generate the key for.

=item B<-skeymgmt> I<skeymgmt>

Some providers may support opaque symmetric keys objects. To use them, we need
to know the I<skeymgmt>. If not specified, the name of the cipher will be used.

To find out the name of the suitable symmetric key management,
please refer to the output of the C<openssl list -skey-managers> command.

=item B<-skeyopt> I<opt>:I<value>

To obtain an existing opaque symmetric key or to generate a new one, key
options are specified as opt:value. These options can't be used together with
any options implying raw key either directly or indirectly.

=item B<-genkey>

Generate a new opaque key object.

{- $OpenSSL::safe::opt_provider_item -}

=back

=head1 SEE ALSO

L<openssl-enc(1)>, L<EVP_SKEY(3)>

=head1 HISTORY

The B<skeyutl> command was added in OpenSSL 3.5.

=head1 COPYRIGHT

Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut