Types of OpenPGP data

The stuff OpenPGP is made of #

In the previous chapter we made a new private key, extracted the public-facing certificate, and encrypted a message.

This already covers most of the existing types of OpenPGP data. In this article we’ll take stock of all the types of artifacts that exist in the world of OpenPGP.

Key material: Certificates and private keys #

The central element that all OpenPGP operations revolve around is the (asymmetric) cryptographic key material that OpenPGP public keys (certificates) and private/secret keys (often in the form of “transferable secret keys”) are made of.

We’ll discuss keys and certificates in more depth in later chapters. You may want to read the openpgp.dev chapter on “Certificates” to familiarize yourself with the structure of OpenPGP certificates.

Messages #

OpenPGP messages are a very flexible concept. Every OpenPGP message consists of one payload - some text or binary data - which can then be processed in different ways, to different ends:

  • The payload can be encrypted, to conceal the contents from prying eyes1
  • The payload can be signed, by which a signer can e.g. certify that they are the author of the text (or that they make some other assertion about it)2
  • The payload can be both encrypted and signed

Most OpenPGP messages are stored in formats that are not designed for convenient human inspection (without the assistance of software tools), for a variety of reasons (including the optional ASCII armor or compression).

However, only encrypted messages offer serious protection against third parties reading the plaintext.

Cleartext signed messages #

A special case are “cleartext signed messages”, which combine a message body in a human-readable format with a footer-like signature block that certifies that message.

This format was a popular method to send email messages that are at the same time human-readable without any additional software-support in the email software, but also contain a cryptographic signature that can be verified by recipients who have OpenPGP software support.

Detached signatures #

The final type of OpenPGP data are “detached” signatures. Such a signature acts as a companion to some data file. The signature file can be used to validate the contents of that data file.

Detached signatures are not counted as an “OpenPGP message”, but you can think of them as one half of a signed message: The detached signature and the data file which it signs could in principle be combined into an OpenPGP message.

However, in some contexts it’s more convenient to handle these two elements separately. For example in some Linux distributions, this is done for pairs of 1) payload (e.g. installable packages) and 2) detached signatures. This way, the installable packages can be handled regularly e.g. by package installation tools, and - separately - cryptographically validated against the detached signature files when required.

  1. Note that a message can be encrypted to multiple recipients, without duplicating the (potentially large) payload. ↩︎

  2. Note that multiple signers can sign any given message. ↩︎