Intro: Looking at the basics of OpenPGP # This series of articles aims to teach the concepts of OpenPGP, mostly from the perspective of a user. The main goal of these texts is empowerment. My underlying belief is that OpenPGP is much less complex and hard to learn than it might seem. Please get in touch, if any of the content here is confusing, or if there’s material you wish existed, but is currently missing!| Introduction on OpenPGP.foo
rsop # rsop is a Stateless OpenPGP (SOP) CLI tool: https://crates.io/crates/rsop/ Like all SOP tools, rsop enables users to perform common OpenPGP operations with a common simple CLI interface. For an introduction to SOP, see the “Learn” section of this site, which walks through a range of operations and how they can be performed with SOP tools. Architectural layering of rsop # rsop is a modular project. Its two main components are rPGP and rpgpie.| Introduction on OpenPGP.foo
Stateless OpenPGP (SOP) # The “Stateless OpenPGP Command Line Interface” is an evolving specification of a vendor-agnostic way to use OpenPGP. The SOP specification outlines a “generic stateless command-line interface for dealing with OpenPGP messages, certificates, and secret key material”. Many tools, based on a wide range of OpenPGP libraries, implement the SOP standard. In this text we will often use SOP tools to explore OpenPGP concepts, since they are (by design) both easy to us...| Introduction on OpenPGP.foo
“Hello World” in OpenPGP # In programming language introductions, it’s customary to show a program that prints “Hello World”. For this series of articles, we’ll start with the equivalent for OpenPGP: We’ll create a new key, encrypt a message to it, and decrypt it again. Making a new “private key” # To make a new key with SOP, we can run a SOP command like this: rsop generate-key alice > alice.tsk This produces an output file named alice.tsk, which contains a new OpenPGP priv...| Introduction on OpenPGP.foo
openpgp-card-tool “oct” # The oct CLI tool for inspecting, configuring and using OpenPGP card devices. https://crates.io/crates/openpgp-card-tools/ OpenPGP card devices # OpenPGP card devices are a type of hardware security module, specifically aimed at use with OpenPGP. Commonly used OpenPGP card brands and devices include Nitrokey, YubiKey and the Free Software/Open Hardware Gnuk project. The point of OpenPGP card devices is to handle private key material outside the host computer. This...| Introduction on OpenPGP.foo
rsop-oct (rsoct) # A Stateless OpenPGP (SOP) CLI tool based on rPGP, for use with OpenPGP card devices https://crates.io/crates/rsop-oct/ rsoct is a sibling project of rsop. It supports private key operations backed by an OpenPGP card device. Specifically, rsoct can currently be used for decrypt, sign and inline-sign operations backed by private key material on an OpenPGP card device. When running rsoct, users can provide their OpenPGP certificate (aka “public key”) instead of a transfera...| Introduction on OpenPGP.foo
The stuff OpenPGP is made of # In the previous chapter we made a new private key, extracted the public-facing certificate, and encrypted a message. This already covers most of the existing types of OpenPGP data. In this article we’ll take stock of all the types of artifacts that exist in the world of OpenPGP. Key material: Certificates and private keys # The central element that all OpenPGP operations revolve around is the (asymmetric) cryptographic key material that OpenPGP public keys (ce...| Introduction on OpenPGP.foo
Data Signatures # (Data) signatures are a cryptographic tool to demonstrate the authenticity of some data. In the narrowest sense, a data signature shows that some signer has used their key to issue a cryptographic statement about some data (such as an email message, or a source code archive). Typically, OpenPGP data signatures signal either authorship (such as “this email has been written by me”), or approval (such as “this project certifies that this source code archive contains an of...| Introduction on OpenPGP.foo
openpgp-card-ssh-agent # A standalone SSH Agent for use with OpenPGP cards. https://crates.io/crates/openpgp-card-ssh-agent This SSH Agent tool aims for simple and enjoyable UX (including desktop notifications for touch confirmation). It serves the same purpose as the ssh agent feature in the gpg-agent tool. However, this tool always uses pcscd to access cards (and never locks them for exclusive use). See the project documentation above to learn about setting up and using openpgp-card-ssh-agent.| Introduction on OpenPGP.foo
“ASCII Armor” # One of the properties of OpenPGP that is recognizable to many is its “armored” format. For example, certificates (aka public keys) are often seen in armored form like this: -----BEGIN PGP PUBLIC KEY BLOCK----- xjMEaApiDxYJKwYBBAHaRw8BAQdALKjyvqcoQ37MMHV5cIyEZjSK/XxnIAa/L/3c ixX5hkvNBWFsaWNlwpgEEBYIAEAFAmgKYg8WIQTQbolGjae+MmwHtzdpyBjxHjuH [..] =4FiZ -----END PGP PUBLIC KEY BLOCK----- ASCII armored vs. binary # Almost all OpenPGP data can be represented in two formats, w...| Introduction on OpenPGP.foo
oct-git # Git signing and verification with a focus on OpenPGP cards. https://crates.io/crates/openpgp-card-tool-git oct-git can act as a replacement for one mode of operation of the gpg tool, specifically as it is combined with the git version control tool. Signing # git can optionally use an external tool (such as oct-git, or historically gpg) to produce cryptographic signatures for “commits” or “tags”. Issuing signatures is a private-key based operation, which oct-git can perform o...| Introduction on OpenPGP.foo
OpenPGP mechanisms # OpenPGP acts as a toolkit that offers a variety of operations, which may be combined to achieve a variety of goals. Encryption # Encryption, which provides confidentiality, is one central facility of OpenPGP. In a way, encryption is the most non-negotiable element of OpenPGP: When a message is encrypted, only actors who have access to a suitable secret are able to access the contained data.| OpenPGP.foo
A subjective and somewhat random look at OpenPGP # This site is a starting point for any readers who want to learn about OpenPGP. OpenPGP acts as a building block for a diverse range of privacy and security infrastructure, including package integrity validation in many Linux distributions. It is also used for confidentiality by encryption in a wide range of applications. My main goal is empowerment: OpenPGP has a tendency to seem daunting, but really, it’s not rocket science. This site offe...| OpenPGP.foo
This is a short writeup about a new feature in the rsop CLI tool: Since version 0.8.0, rsop can decrypt a GnuPG-proprietary message encryption format. GnuPG sometimes produces non-standard encrypted messages # Unfortunately, under some circumstances, GnuPG produces encrypted messages that are not compatible with the OpenPGP standard. This issue started in its 2.4.x series. GnuPG calls its proprietary format “OCB encrypted data”. However, note that practically all big Linux distributions d...| OpenPGP.foo
This article outlines using the new rpgp CLI tool to inspect OpenPGP certificates (aka “public keys”)1. The rpgp tool is available as part of the rpgpie crate. This article describes the tool as of rpgpie version 0.6.6. rpgp can be installed with the Rust cargo tool like this: cargo install rpgpie --features=cli). Different views of OpenPGP certificate internals # The rpgp tool can show information about OpenPGP certificates in two different modes:| Blog on OpenPGP.foo
Personal blog: One more OpenPGP card # This is a writeup about my OpenPGP card setup. It’s a mix of general observations about OpenPGP card devices and a report about setting up a secondary OpenPGP card for myself. Disclaimer # This article describes a relatively involved setup consisting of two OpenPGP card hardware security devices. I’m describing this setup merely because it is what I currently use, not because I think anyone should mimic it. If you’d rather not use hardware cryptogr...| OpenPGP.foo
Post-quantum cryptography (PQC) # Post-quantum cryptography (PQC) is a branch of cryptography that develops algorithms which are thought to be secure against attacks using hypothetical quantum computers (which don’t exist right now, but may be developed in the future). Development and deployment of such algorithms defends against potential future attacks (in case relevant quantum computers materialize). Defense against potential future attacks with quantum computers is of particular interes...| OpenPGP.foo