Hello World in OpenPGP - encrypting a message

“Hello World” in OpenPGP #

In programming language introductions, it’s customary to show a program that prints “Hello World”.

For this series of articles, we’ll start with the equivalent for OpenPGP: We’ll create a new key, encrypt a message to it, and decrypt it again.

Making a new “private key” #

To make a new key with SOP, we can run a SOP command like this:

rsop generate-key alice > alice.tsk

This produces an output file named alice.tsk, which contains a new OpenPGP private key. The parameter alice is used as an identity that is associated with the key, and contained in it.

Note that real-world OpenPGP identities are often shaped like Alice <alice@example.org> (combining a “name” with an “email” part). However, for the purpose of this series of articles, the identity doesn’t matter, so we’re using a simple identity string.1

The file ending of alice.tsk signifies that the file contains the private key material in the OpenPGP “transferable secret key” format.

Decrypting a message #

If we had a message that was encrypted to Alice’s key, we could now decrypt it by running:

cat encrypted.msg | rsop decrypt alice.tsk

This command would then output the decrypted message.

Obtaining Alice’s certificate #

For a third party to interact with Alice, e.g. to send encrypted messages to Alice, they need Alice’s certificate (also known as an “OpenPGP public key”).

An OpenPGP certificate (or “public key”) is a complex data structure, which combines key material, identities and various metadata.

The certificate is a subset of the data in alice.tsk. We can extract the certificate from the TSK file by running:

cat alice.tsk | rsop extract-cert > alice.cert

Alice can safely give the contents of the file alice.cert to third parties.

The certificate enables third parties to do two things:

  • Encrypt messages to Alice,
  • Verify cryptographic signatures that Alice has issued.

Depending on the circumstances, Alice might publish her certificate widely (for example on a “public keyserver”, on her website, or as an attachment to each of her emails), or she could choose to only give copies of it individually to select communication partners.

Encrypting a message to Alice #

Anyone who has a copy of alice.cert can now encrypt messages to Alice. For example using SOP, like this:

echo "Hello Alice!" | rsop encrypt alice.cert > encrypted.msg

Anyone who doesn’t have Alice’s private key material can’t obtain the plaintext message content within encrypted.msg.

Alice decrypts the secret message #

Alice, however, can use her private key material (in the file alice.tsk) to decrypt the contents of this message, as already shown above:

cat encrypted.msg | rsop decrypt alice.tsk
Hello Alice!

  1. We could also make a key with a longer form identity, like this: rsop generate-key "Alice <alice@example.org>" > alice.tsk, but while we’re just playing, there’s no benefit to this extra bit of complexity. ↩︎