Hello World in OpenPGP - encrypting a message

“Hello World” in OpenPGP #

In programming language introductions, it’s customary to show a program that prints “Hello World”.

For this series of articles, we’ll start with the equivalent for OpenPGP: We’ll create a new key, encrypt a message to it, and decrypt it again.

Making a new “private key” #

To make a new key with SOP, we can run a SOP command like this:

rsop generate-key alice > alice.tsk

This produces an output file named alice.tsk, which contains a new OpenPGP private key. The parameter alice is used as an identity that is associated with the key, and contained in it.

Real-world OpenPGP identities are often shaped like Alice <alice@example.org>, combining a “name” with an “email” part. However, for the purpose of this series of articles, the identity doesn’t matter, so we’re using a simple identity string.1

The file ending of alice.tsk signifies that the file contains the private key material in the OpenPGP “transferable secret key” format.

Decrypting a message #

If we had a message that was encrypted to Alice’s key, we could now decrypt it by running:

cat encrypted.msg | rsop decrypt alice.tsk

This command would then output the decrypted message.

Obtaining Alice’s certificate #

For a third party to interact with Alice, e.g. send encrypted messages to Alice, they need Alice’s certificate (also known as an “OpenPGP public key”).

An OpenPGP certificate is a complex data structure, which combines key material, identities and various metadata.

The certificate (or “public key”) is effectively a subset of the information in alice.tsk. We can extract the certificate from the TSK file by running:

cat alice.tsk | rsop extract-cert > alice.cert

Alice can safely give the contents of the file alice.cert to third parties.

The certificate enables third parties to do two things:

  • Encrypt messages to Alice,
  • Verify cryptographic signatures that Alice has issued.

Depending on the circumstances, Alice might publish her certificate widely (for example on a “public keyserver”, on her website, or as an attachment to each of her emails), or she could choose to only give copies of it individually to select communication partners.

Encrypting a message to Alice #

Anyone who has a copy of alice.cert can now produce messages to Alice. For example using SOP, like this:

echo "Hello Alice!" | rsop encrypt alice.cert > encrypted.msg

Anyone who doesn’t have Alice’s private key material can’t obtain the plaintext message content within encrypted.msg.

Alice decrypts the secret message #

Alice, however, can use her private key material (in the file alice.tsk) to decrypt the contents of this message, as already shown above:

cat encrypted.msg | rsop decrypt alice.tsk
Hello Alice!

  1. We could also make a key with a longer form identity, like this: rsop generate-key "Alice <alice@example.org>" > alice.tsk, but while we’re just playing, there’s no benefit to this extra bit of complexity. ↩︎