The stuff OpenPGP is made of #

In the previous chapter we made a new private key, extracted the public-facing certificate, and encrypted a message.

This already covers most of the existing types of OpenPGP data. In this chapter we’ll take stock of all the types of artifacts that exist in the world of OpenPGP.

Key material: Certificates and private keys #

The central element that all OpenPGP operations revolve around is the (asymmetric) cryptographic key material that OpenPGP public keys (certificates) and private/secret keys (often in the form of “transferable secret keys”) are made of.

We’ll discuss keys and certificates in more depth in later chapters. You may want to read the openpgp.dev chapter on “Certificates” to familiarize yourself with the structure of OpenPGP certificates.

Messages #

OpenPGP messages are a very flexible concept. Every OpenPGP message consists of one payload - some text or binary data - which can then be processed in different ways, to different ends:

• The payload can be encrypted, to conceal the contents from prying eyes
• The payload can be signed, by which the signer could e.g. certify that they are the author of the text (or that they make some other assertion about it)¹
• The payload can be both encrypted and signed

All regular OpenPGP messages are stored in formats that are not designed for convenient human inspection (without the assistance of software tools). However, only encrypted messages offer privacy protection against third parties reading the plaintext.

Cleartext signed messages #

A special case are “cleartext signed messages”, which represent a message body in a human-readable format, combined with a signature that certifies that message.

This format was a popular method to send email messages that are at the same time human-readable without any additional software-support in the email software, but also contain a cryptographic signature that can be verified by recipients who have OpenPGP software support.

Detached signatures #

The final type of OpenPGP data are “detached” signatures. Such a signature can be used to verify the data that the signature was made over.

These are not counted as an “OpenPGP message”, but you can think of them as one half of a signed message: the detached signature and the payload could be combined into an OpenPGP message. However, in some contexts it’s more convenient to handle these two elements separately. For example in some Linux distributions, this is done for pairs of 1) payload (e.g. installable packages) and 2) detached signatures. This way, the installable packages can be handled regularly e.g. by package installation tools, and - separately - cryptographically validated against the detached signature files when required.