Stateless OpenPGP (SOP) #

The “Stateless OpenPGP Command Line Interface” is an evolving specification of a vendor-agnostic way to use OpenPGP. The SOP specification outlines a “generic stateless command-line interface for dealing with OpenPGP messages, certificates, and secret key material”.

Many tools, based on a wide range of OpenPGP libraries, implement the SOP standard.

In this text we will often use SOP tools to explore OpenPGP concepts, since they are (by design) both easy to use and easy to reason about.

Specifically, our example commands use rsop (a SOP implementation based on rPGP), but SOP implementations are (by definition) usually interchangeable, so it doesn’t usually matter which SOP implementation you use.

rsop can be installed with the Rust cargo tool by running cargo install rsop. Alternatively it is packaged for some Linux distributions.

Fearless play #

One nice thing about SOP tools is that they are - as the name says - “stateless”.

This means that SOP tools don’t persist data on your system implicitly, or read any data from your system, except what you explicitly pass as arguments.

So if you run a series of SOP invocations, say, in the directory /tmp/playing-with-sop, then once you’re done you can just delete that directory, and you’re safely back to square one. Your system’s contents will be the same as before the playing. No keys will linger in some permanent location, and no other OpenPGP subsystems that your system might contain (such as a GnuPG setup in your home directory, or a Thunderbird OpenPGP subsystem) will be altered in any way.

Production use #

If you wanted to use SOP to deal with a key that you want to use on a permanent basis, you would need to think about storing this (private) key on your system for ongoing use.

However, in this series of articles, we won’t deal with “serious” keys for permanent use. We will instead focus on playing with temporary keys, which are only used for learning purposes.