OpenPGP Utilities

The Crypt21 project is providing a number of OpenPGP related utilities to expand the capabilities of your OpenPGP keys and key rings.


“You are hereby ordered to provide the necessary assistance for decrypting and providing the plaintext of the following encrypted files discovered during the search process...”

Who among us has not had this nightmare? That although you practice safe computing and use a PGP compatible program to protect the privacy of your email and disk files, you might someday be compelled by the force of law, the might of the state, to turn over your keys?

pgpdec can at least minimize the damage. It allows you to decrypt a specified set of files, without turning over your private key ring or your passphrase. And most importantly, it works in a provable, verifiable fashion. The decrypted data it produces can be verified to be accurate and honest.

To this end, pgpdec provides two modes. In decryption mode, it decrypts the public-key encrypted portion of the file and outputs the document-specific key that can be used to decrypt the remainder. Most importantly, it outputs auxiliary information that can be used to verify that the document-specific key is a true and accurate decryption of the public key encrypted data. In verification mode, pgpdec reads the output that was produced in the decryption mode. It verifies that the decrypted document-specific key is in fact valid, using the auxiliary information that was written out earlier. And based on that, it decrypts the file and produces an accurate plaintext.

In the court-order example above, the key holder would use pgpdec in the decryption mode to produce the decryption output for each file specified. This data would then be provided to an officer of the court, who would use the verification mode to make sure that the key holder had done his job honestly, and recover the encrypted plaintext data. In this way the key holder's public key is protected, and he can comply with the court order without revealing any more information than is necessary.


Encrypted and signed messages are the “gold standard” of OpenPGP messaging. Encryption protects the privacy of the message; the signature protects the integrity and provides assurance as to its authenticity. But once you've received and read the data, you have a problem. What format to use to save it?

You can save it as it came in, encrypted and signed, but then whenever you want to refer to the message again, you will have to decrypt it. You lose the ability to search your messages for key words or to scan them via other non-PGP-aware tools. And this may provide more security than you need, since messages stored on your disk are much less vulnerable than messages in transit across the Internet, or you may use an encrypted disk which makes the OpenPGP encryption superfluous.

Or you can save the message in the clear, but now you have given up the guarantee you had of authenticity. Some OpenPGP clients will add annotations to the text to remind you that it at one time had a signature that verified, but those may not be enough in some circumstances. Suppose a dispute arises and you need to be able to prove that the message was legitimately signed? The annotations don't prove that. You've lost the verifiable assurance that you had when you received the message.

That's where pgpdecsigned comes in. This utility works very simply. Given an encrypted and signed message, it decrypts it and outputs the result as a clearsigned message. This can then be verified as usual by your OpenPGP client, but it is in a readable form which is suitable for archiving and processing by text-based tools.

A couple of caveats are in order, though. The OpenPGP spec prescribes some differences in signature verification for clearsigned versus encrypted + signed messages. In some cases this may cause the clearsigned message not to verify properly. Most of the time this is not a problem, in part because some OpenPGP implementations aparently depart from the standard behavior, and so messages like this tend not to interoperate between different implementations.

pgpsigx and sigexchange

“I'll sign yours if you'll sign mine...”

Contract signing, receipt-based email, even digital cash payments, all can be based on the same concept: signature exchange. The idea is simple: each party has a signature on some data (maybe the same data, maybe different) and they are willing to give it up to the other side, but only if they receive the corresponding signature offered by their counterpart.

That's where pgpsigx and sigexchange step in. These utilties allow for gradual, verifiable exchange of signatures. That means that the signatures are exchanged gradually, a bit at a time. If either party breaks off the exchange then at most he has one more bit of the signature than the other. And if that gives him enough information to recover the signature, the same is true of the other side, to within a factor of two. And the exchange is verifiable, meaning that each party first proves to the other that they actually do have the signature in question, and then as they exchange each bit, it is proven to be a legitimate part of the signature - without revealing anything more about the signature itself.

It sounds complicated, but you can now begin experimenting with this protocol using ordinary OpenPGP signed documents. The two parties first produce "cleaned" versions of the signed documents, using pgpsigx --clean. These versions have stripped away the signature information and can then be exchanged with the other side. They each then use pgpsigx --cleancheck to verify that the cleaned documents they received are as expected, and to make sure that a signature on this particular document is what they desire.

Now the sigexchange program is used to actually perform the bit by bit, gradual signature exchange in real time. It takes one to three minutes to exchange a typical signature. And finally, pgpsigx --cleanfix is used to take the newly received signature data and reassemble a valid, OpenPGP signed file with the signature that the other side promised to provide. Both sides have successfully exchanged signatures!