GPG is not designed to be used statelessly. It is built around loading keys into its home directory and managing trust ratings and identity signatures.

In this project, I construct a temporary home directory for each operation, into which only a single key is imported, so that operations can be performed completely independently i.e. in a stateless manner. Keys are stored in text files. With some careful automation, operations such as "display details of all public keys", "verify this signature", and "decrypt this encrypted file" become quite feasible.

In an automated script, it would be most secure to specify a key by its fingerprint, look up the corresponding keyfile, and use this key to perform the required stateless operation. In this way, we avoid the problem of trying to get the full fingerprint from GPG's output (the fingerprint is not always present), by ensuring that one and only one key is available to GPG at any one time.







- Summary
- List Of Operations
- Notes
- GPG 1.4.10 Stateless Operations
- GPG 1.4.10 Stateless Operations With Example Output







1) Create keypair and store it in keyfiles
2) Delete key
3) Display key
4) Display key details
5) Display details of all keys
6) Import key
7) Sign a file using a specific private key, producing a detached signature file
8) Verify the detached signature of a file, checking that the signature was made by a specific public key
9) Encrypt a message file to a specific public key
10) Decrypt an encrypted message file, checking that the decryption was performed using a specific private key













GPG is not designed to be used statelessly. However, a different home directory can be specified in a GPG command, which means that a temporary home directory can be constructed and used for an operation. By only importing a single key into the temporary home directory, we can be sure that the operations succeed or fail based only on the use of this single key.

In this project, keys are stored in text files. I use the term 'keyfile' to refer to a text file that contains a key (whether private or public).

This project draws heavily on prior work in the project Using GPG 1.4.10 statelessly.

In public-key cryptography, a 'key' is really a keypair - a private key and a public key.

A GPG key contains a primary keypair and a subkeypair. The primary keypair is used for signing. The subkeypair is used for encryption. Other people's encrypted messages are encrypted to the public subkey. The private subkey is used to decrypt messages.

These commands emphasise the use of real names, fingerprints, and ASCII armor. A fingerprint is the most unique (least forgeable) way to refer to a key. 'Real name' is just a convenient text value - a key can claim that its real name is X (e.g. "John Smith"), but the actual primary identity is the key. ASCII armor is used for legibility.

A key fingerprint is derived in some way from the hash of a public key. It is a shorthand way to reference the key in a manner that has a good uniqueness guarantee but is shorter than the entire key. User-assigned 'real names' can always be duplicated by a third party, who might wish to create a counterfeit key. A short key ID (the last 8 characters of the fingerprint) is insecure because it is feasible for a third party to attempt to generate another key with the same short key ID. The long key ID (the last 16 characters of the fingerprint) is somewhat harder to forge and is therefore more secure. The real name may be used for convenience and human-readable archival, but the fingerprint should be used within automated scripts. When used as an argument for GPG, a fingerprint must not include spaces.

I initially thought that the private key had its own fingerprint, long key ID, and short key ID. This is not the case. When you display these details for a private key, they are the same as the corresponding details for the public key.

An improved approach for using GPG statelessly:
- store all private keys as text files in a directory.
- store all public keys as text files in a second directory.
- back up keys
- maintain a text file that stores records of key details: public keyfile name, private keyfile name, real name, fingerprint, long key ID, long key ID of the public subkey.
- perform cryptographic operations in a dedicated work directory
In this project, everything happens in a single directory, and no record is kept of key details, but the approach described here would be the next logical step.

You can derive keyfile names from the real name by:
- decapitalising any capital letters
- removing punctuation
- replacing spaces with underscores
- adding the suffix "_private_key.txt" for the private keyfile.
- adding the suffix "_public_key.txt" for public keyfile.

Example: For the name "Test Key 1", I used the following keyfile names:
- test_key_1_private_key.txt
- test_key_1_public_key.txt

The command suffix is used to suppress output.

In operation 9) Encrypt a message file to a specific public key, the command displays the entire fingerprint of the public subkey. This is the only way (that I am aware of) that this can be viewed.

The command sequences in this project set permissions to 700 on the temporary gpg home directory in order to avoid this warning in the output when importing a key:


I have not always preserved the format of any computer output (i.e. from running Bash commands). Examples: Setting input lines in bold text, adding/removing newlines in order to make a sequence of commands easier to read.





























1) Create keypair and store it in keyfiles


Choose a real name for the key. Examples "John Smith", "Edgecase Corporation", "Server 456 - Clive", "Test Key 1". Try to choose a name that is reasonably human-readable. This name will be used in other commands in this project to specify a particular key.

Derive the keyfile names from the real name by:
- decapitalising any capital letters
- removing punctuation
- replacing spaces with underscores
- adding the suffix "_private_key.txt" for the private keyfile.
- adding the suffix "_public_key.txt" for public keyfile.

Example: For the name "Test Key 1", I will use the following keyfile names:
- test_key_1_private_key.txt
- test_key_1_public_key.txt

Command sequence:





Interactive prompts during key generation:
- 1) key type = "1" (RSA and RSA)
- 2) key size = "4096"
- 3) expiry period = "0" (never)
- 4) confirm expiry period = "y"
- 5) real name = "Test Key 1"
- 6) email address = ""
- 7) comment = ""
- 8) confirm real name, email address, and comment = "o"
- 9) passphrase = ""
- 10) confirm passphrase = ""
- 11) [wait for random bytes to be generated - GPG says that it will create a passphrase anyway if an empty one is specified - but I don't think that it actually does]

"" signifies empty string i.e. no input. Press Enter after each prompt to proceed to the next one.














2) Delete key


To delete a key, delete the keyfiles.

Warning: If this is one of your own keys, and the public key has been sent to anyone else, or published somewhere, pause for a minute. You should probably archive it instead of deleting it.

Commands:












3) Display key


To display a key, display the keyfile.

Commands:












4) Display key details


Command sequence for displaying the details of a private key:









Command sequence for displaying the details of a public key:









We can use the and commands without specifying a key because there is only one key in the temporary GPG home directory.








5) Display details of all keys


To display the details of all the keys, repeat the steps in 4) Display key details for each key.

This can be done manually, where you change the keyfile name in each use of the command sequence. It can also be automated, using some code.

Here is an example of automating this process:



This Bash command sequence will use GPG to display the key details for all keyfiles in this directory that end in "private_key.txt".

Here is the same example, applied to public keys:



This Bash command sequence will use GPG to display the key details for all keyfiles in this directory that end in "public_key.txt".








6) Import key


In this project's stateless approach, this GPG command is not a standalone operation. Instead, it is used as a component within various operations. I've chosen to explicitly document it as a separate item.

Note: Importing a private key causes GPG to construct and store the corresponding public key.

Command sequence:







can be used in the second command to suppress its output.

Example:



The command does not vary when importing a public key.

Example:










7) Sign a file using a specific private key, producing a detached signature file


A file-to-be-signed must already be present.

Command sequence:
















8) Verify the detached signature of a file, checking that the signature was made by a specific public key


A file and a corresponding detached signature file must already be present.

The command can be used to view the long key ID of the signing key.

Example:



The long key ID is 3F84F8FE258E4B1A.

Now use operation 5) Display details of all keys to produce text that can be searched for this long key ID. Alternatively, if you maintain a text file that records keyfile names, long key IDs, etc, you can look up the long key ID in there.

Now choose the public keyfile that corresponds to this long key ID and run the command sequence.

Command sequence:









The important output line will be:

This shows that GPG considers the digital signature to be mathematically valid. The real name shown in the output line will vary depending on the key that made the signature.

There is also a simpler but slower approach, which is to test all the available public keys against the detached signature file and print output only from a successful verification. This can be done manually, where you change the keyfile name in each use of the command sequence. It can also be automated, using some code.

Here is an example of automating this process:

hello.txt (the file) and hello.txt.asc (the detached signature file) are already present.



This Bash command sequence will use GPG to attempt to verify the detached signature using every keyfile in this directory that ends in "public_key.txt". It will then print output lines that contain either "Good signature from" or "Primary key fingerprint".








9) Encrypt a message file to a specific public key


A file-to-be-encrypted must already be present.

The option needs a value, which can be the real name or the fingerprint. You can use the real name when performing this operation manually, but you should use the fingerprint when writing a script to automate this operation.

The command will produce an interactive prompt, because (I think) no identity signature for this key is present in the GPG temporary home directory. To answer the prompt, press 'y' and then Enter.

Note: The option (which answers 'y' to most prompts) does not work for this particular prompt.
















10) Decrypt an encrypted message file, checking that the decryption was performed using a specific private key


The encrypted file must already be present.

The command can be used to view the long key ID of the public subkey to which the file was encrypted. I'll refer to this public subkey as the "destination key".

Example:



The long key ID of the destination key is 7CBB1E9750C96C60.

Now use operation 5) Display details of all keys to produce text that can be searched for this long key ID. Alternatively, if you maintain a text file that records keyfile names, long key IDs, long key IDs of public subkeys, etc, you can look up the long key ID in there.

Now choose the private keyfile that corresponds to the long key ID of this destination key and run the command sequence.

Command sequence:









The output lines will be:


The output line

will show that GPG considers the decryption to have been successfully performed. The real name shown in the output will vary depending on the destination key.

Note: The output also contains the real name ("Test Key 1") of the keypair and the long key ID of the destination key (5CE721E1669C4CF2).

There is also a simpler but slower approach, which is to test all the available private keys against the encrypted file and print output only from a successful decryption. This can be done manually, where you change the keyfile name in each use of the command sequence. It can also be automated, using some code.

Here is an example of automating this process:

hello.asc (the encrypted file) is already present.



This Bash command sequence will use GPG to attempt to decrypt the encrypted file using every keyfile in this directory that ends in "private_key.txt". It will then print output lines that contain the string "DECRYPTION_OKAY".

The output will be:

The OUTPUT variable doesn't preserve the newlines in the output of the decryption command, so the output is a single line.





























In this section, I'm going to run the commands from the GPG 1.4.10 Stateless Operations section and record the output.


System details:
- Name: Shovel
- Specifications: HP 6005 Pro SFF. 3 GHz x86_64 processor (AMD II x4 B95 Quad Core), 4 GB RAM, 1 TB hard drive. Running CentOS 7.6.1810 (Core).
- More information: New computer: Shovel
- Installed items: GCC 4.8.5, Make 3.82, Bash 4.2.46(2), GPG 1.4.10, Gnome 3.28.2.

I installed GPG 1.4.10 on CentOS 7.6 on Shovel in a previous project: Installing GPG 1.4.10 on CentOS 7.6










1) Create keypair and store it in keyfiles


Choose a real name for the key. Examples "John Smith", "Edgecase Corporation", "Server 456 - Clive", "Test Key 1". Try to choose a name that is reasonably human-readable. This name will be used in other commands in this project to specify a particular key.

Derive the keyfile names from the real name by:
- decapitalising any capital letters
- removing punctuation
- replacing spaces with underscores
- adding the suffix "_private_key.txt" for the private keyfile.
- adding the suffix "_public_key.txt" for public keyfile.

Example: For the name "Test Key 1", I will use the following keyfile names:
- test_key_1_private_key.txt
- test_key_1_public_key.txt

Command sequence:





Interactive prompts during key generation:
- 1) key type = "1" (RSA and RSA)
- 2) key size = "4096"
- 3) expiry period = "0" (never)
- 4) confirm expiry period = "y"
- 5) real name = "Test Key 1"
- 6) email address = ""
- 7) comment = ""
- 8) confirm real name, email address, and comment = "o"
- 9) passphrase = ""
- 10) confirm passphrase = ""
- 11) [wait for random bytes to be generated - GPG says that it will create a passphrase anyway if an empty one is specified - but I don't think that it actually does]

"" signifies empty string i.e. no input. Press Enter after each prompt to proceed to the next one.










Worked example:













2) Delete key


To delete a key, delete the keyfiles.

Warning: If this is one of your own keys, and the public key has been sent to anyone else, or published somewhere, pause for a minute. You should probably archive it instead of deleting it.

Commands:








Worked example:


First, archive the keys.





Next, I'll demonstrate deleting the keys.





Next, I'll restore the keys from the archive.





Finally, I'll delete the archive.













3) Display key


To display a key, display the keyfile.

Commands:








Worked example:













4) Display key details


Command sequence for displaying the details of a private key:









Command sequence for displaying the details of a public key:









We can use the and commands without specifying a key because there is only one key in the temporary GPG home directory.




Worked example:


a) Display the details of a private key





The 16-character hex string in the 3rd line is the long key ID:
9787D2579DCC50A2

It is the same as the last 16 characters of the key fingerprint.

The 16-character hex string in the 6th line is the long key ID of the public subkey:
5CE721E1669C4CF2


b) Display the details of a public key





The 16-character hex string in the 3rd line is the long key ID:
9787D2579DCC50A2

It is the same as the last 16 characters of the key fingerprint.

The 16-character hex string in the 6th line is the long key ID of the public subkey:
5CE721E1669C4CF2










5) Display details of all keys


To display the details of all the keys, repeat the steps in 4) Display key details for each key.

This can be done manually, where you change the keyfile name in each use of the command sequence. It can also be automated, using some code.

Here is an example of automating this process:



This Bash command sequence will use GPG to display the key details for all keyfiles in this directory that end in "private_key.txt".

Here is the same example, applied to public keys:



This Bash command sequence will use GPG to display the key details for all keyfiles in this directory that end in "public_key.txt".




Worked example:


First, create a second keypair named "Test Key 2". This step is not shown here.


a) Display details of all private keys





b) Display details of all public keys













6) Import key


In the stateless approach in this project, this GPG command is not a standalone operation. Instead, it is used as a component within various operations. It is worth explicitly documenting as a separate item.

Note: Importing a private key causes GPG to construct and store the corresponding public key.

Command sequence:







can be used in the second command to suppress its output.

Example:



The command does not vary when importing a public key.

Example:






Worked example:


a) Import a private key





b) Import a private key and suppress the output





c) Import a public key





d) Import a public key and suppress the output













7) Sign a file using a specific private key, producing a detached signature file


A file-to-be-signed must already be present.

Command sequence:












Worked example:


First, create a file-to-be-signed: hello.txt





Next: Sign the file hello.txt.













8) Verify the detached signature of a file, checking that the signature was made by a specific public key


A file and a corresponding detached signature file must already be present.

The command can be used to view the long key ID of the signing key.

Example:



The long key ID is 3F84F8FE258E4B1A.

Now use operation 5) Display details of all keys to display the details of all the public keys. These details can then be searched for this long key ID. Alternatively, if you maintain a text file that records keyfile names, long key IDs, etc, you can look up the long key ID in there.

Now choose the public keyfile that corresponds to this long key ID and run the command sequence.

Command sequence:









The important output line will be:

This shows that GPG considers the digital signature to be mathematically valid. The real name shown in the output line will vary depending on the key that made the signature.

There is also a simpler but slower approach, which is to test all the available public keys against the detached signature file and print output only from a successful verification. This can be done manually, where you change the keyfile name in each use of the command sequence. It can also be automated, using some code.

Here is an example of automating this process:

hello.txt (the file) and hello.txt.asc (the detached signature file) are already present.



This Bash command sequence will use GPG to attempt to verify the detached signature using every keyfile in this directory that ends in "public_key.txt". It will then print output lines that contain either "Good signature from" or "Primary key fingerprint".




Worked example:


First, find the long key ID in the detached signature file.




The long key ID is 9787D2579DCC50A2.


Next: Use operation 5) Display details of all keys to display the details of all the public keys. These details can then be searched for this long key ID.





The long key ID 9787D2579DCC50A2 is included in the details of Test Key 1.

Next: Choose the public keyfile that corresponds to this long key ID and run the command sequence.

The corresponding public keyfile is: test_key_1_public_key.txt


Next: Using this keyfile, attempt to verify the detached signature.




The important output line is:

This shows that GPG considers the digital signature to be mathematically valid.


There is also a simpler but slower approach, which is to test all the available public keys against the detached signature file and print output only from a successful verification. This can be done manually, where you change the keyfile name in each use of the command sequence. It can also be automated, using some code.


Here is an example of automating this process:

hello.txt (the file) and hello.txt.asc (the detached signature file) are already present.




Delete the detached signature file:












9) Encrypt a message file to a specific public key


A file-to-be-encrypted must already be present.

The option needs a value, which can be the real name or the fingerprint. You can use the real name when performing this operation manually, but you should use the fingerprint when writing a script to automate this operation.

The command will produce an interactive prompt, because (I think) no identity signature for this key is present in the GPG temporary home directory. To answer the prompt, press 'y' and then Enter.

Note: The option (which answers 'y' to most prompts) does not work for this particular prompt.












Worked example:


hello.txt is already present.




a) Encrypt the file to a public key, using the real name to specify the key.





b) Encrypt the file to a public key, using the fingerprint to specify the key.


First, delete the existing encrypted file.




Next: Use operation 5) Display details of all keys to display the details of all the public keys. Choose a key to which to encrypt the file hello.txt, then select this key's fingerprint. Remove all spaces from the fingerprint. Alternatively, if you maintain a text file that records keyfile names, fingerprints, etc, you can look up the fingerprint in there.





I'll select Test Key 1. Its fingerprint is:
2AF1 4D88 6911 A54A D957 3494 9787 D257 9DCC 50A2

Without spaces, its fingerprint is:
2AF14D886911A54AD95734949787D2579DCC50A2


Next: Encrypt the file hello.txt to the public key, using the fingerprint to specify the key.













10) Decrypt an encrypted message file, checking that the decryption was performed using a specific private key


The encrypted file must already be present.

The command can be used to view the long key ID of the public subkey to which the file was encrypted. I'll refer to this public subkey as the "destination key".

Example:



The long key ID of the destination key is 7CBB1E9750C96C60.

Now use operation 5) Display details of all keys to produce text that can be searched for this long key ID. Alternatively, if you maintain a text file that records keyfile names, long key IDs, long key IDs of public subkeys, etc, you can look up the long key ID in there.

Now choose the private keyfile that corresponds to the long key ID of this destination key and run the command sequence.

Command sequence:









The output lines will be:


The output line

will show that GPG considers the decryption to have been successfully performed. The real name shown in the output will vary depending on the destination key.

Note: The output also contains the real name ("Test Key 1") of the keypair and the long key ID of the public subkey (5CE721E1669C4CF2).

There is also a simpler but slower approach, which is to test all the available private keys against the encrypted file and print output only from a successful decryption. This can be done manually, where you change the keyfile name in each use of the command sequence. It can also be automated, using some code.

Here is an example of automating this process:

hello.asc (the encrypted file) is already present.



This Bash command sequence will use GPG to attempt to decrypt the encrypted file using every keyfile in this directory that ends in "private_key.txt". It will then print output lines that contain the string "DECRYPTION_OKAY".

The output will be:

The OUTPUT variable doesn't preserve the newlines in the output of the decryption command, so the output is a single line.




Worked example:


The encrypted file hello.asc is already present.

First, find the long key ID in the encrypted file.




The long key ID of the destination key is 5CE721E1669C4CF2.


Next: Use operation 5) Display details of all keys to display the details of all the public keys. These details can then be searched for this long key ID of the destination key.





The long key ID 5CE721E1669C4CF2 is included in the details of Test Key 1, in the line that starts with "sub".


Next: Choose the private keyfile that corresponds to this long key ID and run the command sequence.

The corresponding private keyfile is: test_key_1_private_key.txt


Next: Using this keyfile, attempt to decrypt the encrypted file.





The output line

shows that GPG considers the decryption to have been successfully performed.


Delete the decrypted file:




There is also a simpler but slower approach, which is to test all the available private keys against the encrypted file and print output only from a successful decryption. This can be done manually, where you change the keyfile name in each use of the command sequence. It can also be automated, using some code.


Here is an example of automating this process:

hello.asc (the encrypted file) is already present.













That's the end of this project.