Stateless OpenPGP
Stateless OpenPGP (SOP) is a standard for commandline interface (CLI) tools to perform OpenPGP operations. It is defined in a dedicated IETF draft outlining its features and syntax.
SOP is a lean approach to signing/verification and encryption/decryption operations on messages. Certificates and/or keys for all operations must be explicitly specified.
Usually private key operations use software keys. However, private key material on hardware security devices can also be used with some SOP implementations.
Many SOP implementations exist and are cross-tested in an interoperability test suite.
Although implementations provide executables of differing names, they all have the same CLI and the core functionality can be used interchangeably.
Installation
Several implementations are available for installation:
Features
While SOP offers a uniform interface, implementations are free to support different subsets of the cryptographic mechanisms that OpenPGP specifies. Different versions of the format as well as hardware backed keys may be supported.
| Package | RFC 4880 (+ RFC 6637) | draft-koch-librepgp | draft-ietf-openpgp-crypto-refresh | Hardware backed keys |
|---|---|---|---|---|
| rsop | Yes | No | No | Yes |
| sequoia-sop | Yes | No | No | No |
Hardware device support
When using hardware security devices, SOP parameters that usually specify private key material instead only specify public key material.
This public key material serves as an explicit reference to locate and use a hardware device that provides the corresponding private key material.
Tips and tricks
The below examples assume, that the name of the SOP executable (e.g. rsop or sqop) is stored in the environment variable $SOP.
rsop is used.
Create a private key
To create an OpenPGP transferable secret key (aka. private key) with the User ID <archie@example.org> use:
$ $SOP generate-key "<archie@example.org>" > archie.tsk
Extract certificate
To extract the certificate (aka. public key) from the created transferable secret key use:
$ $SOP extract-cert > archie.cert < archie.tsk
Create detached signature
To create a detached signature for a message use:
$ echo "Hello world" | $SOP sign archie.tsk > msg.sig
rsop needs to be provided with a certificate instead of a private key:
$ echo "Hello world" | rsop sign archie.cert > msg.sig
Verify detached signature
To verify the detached signature, provide the original message, the signature as well as the OpenPGP certificate:
$ echo "Hello world" | $SOP verify msg.sig archie.cert
2024-02-27T17:36:28Z 12b7169b5fc99d1a2d546b8755d1f4d8a355f3cb 12b7169b5fc99d1a2d546b8755d1f4d8a355f3cb mode:binary
Encrypt a message
Messages can be encrypted by providing the message and the OpenPGP certificate of the recipient:
$ echo "Hello world" | $SOP encrypt archie.cert > encrypted.msg
Decrypt a message
Recipients of encrypted messages can decrypt them by providing the encrypted message and their transferable secret key:
$ $SOP decrypt archie.tsk < encrypted.msg
Hello world
rsop needs to be provided with a certificate instead of a private key:
$ rsop decrypt archie.cert < encrypted.msg
Hello world
Create cleartext signed message
Cleartext signed messages can be created by providing the message and the signer's transferable secret key:
$ echo "Hello world" | $SOP inline-sign --as clearsigned archie.tsk
-----BEGIN PGP SIGNED MESSAGE----- Hello world -----BEGIN PGP SIGNATURE----- wnUEARYKAB0WIQQStxabX8mdGi1Ua4dV0fTYo1XzywUCZd4eOgAKCRBV0fTYo1Xz yyqJAQDUD/lbhqOHL/O0cjtytXQXnMOx5twW3FT3RJPlu9JZUAEA2OAMhzLmX6Bb mXz8Tu0eApqbxu64ksieL8YNN20IwQs= =77wU -----END PGP SIGNATURE-----
rsop works analogous to the example outlined in create detached signature.