openpgp-notes/book/source/10-encryption.md

<!--
SPDX-FileCopyrightText: 2023 The "Notes on OpenPGP" project
SPDX-License-Identifier: CC-BY-SA-4.0
-->

(encryption_chapter)=
# Encryption

[Encryption](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#section-2.1) is one of the core facilities of OpenPGP. It provides confidentiality.

## High-Level overview of the message encryption process

OpenPGP uses a [hybrid cryptosystem](hybrid_cryptosystems). Encryption is performed in two distinct steps:

- The plaintext is encrypted with a (secret) symmetric key, the [*message key*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-confidentiality-via-encrypt). The (potentially large) payload only needs to be stored once in its encrypted form, even if it is encrypted to multiple recipients.
- For each recipient of the message, a packet with information about the message key is generated.
  - Usually, the information that allows retrieval of the message key is encrypted to a public encryption component key of the recipient.
  - Alternatively - or additionally - the secret symmetric key may also be encrypted using a passphrase, in place of an asymmetric key. This is a specialized and less commonly used mode of operation that doesn't require OpenPGP certificates.

## Generations of encryption

There are two generations of OpenPGP's encryption mechanism that the RFC allows for producing new encrypted messages, see [Packet Versions in Encrypted Messages](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#section-10.3.2.1).

The main difference between these two generations lies in the symmetric part of the mechanism, abbreviated as "SEIPD", for *Symmetrically Encrypted and Integrity Protected Data*.

Older encryption mechanisms existed in OpenPGP, but those must not be used for encryption anymore. More information about these legacy encryption mechanisms can be found in the [decryption](decryption_chapter) chapter.

(SEIPDv2)=
### v2 SEIPD, based on AEAD

This mechanism is new in OpenPGP version 6, and only supported by OpenPGP version 6 implementations. Consequently, ut can only be used when all recipients support OpenPGP version 6.

v2 SEIPD can only be combined with either v6 PKESK or v6 SKESK.

### v1 SEIPD, based on MDC

This mechanism is supported by modern OpenPGP version 4 implementations. It was introduced in [RFC 4880](https://www.rfc-editor.org/rfc/rfc4880.html#section-5.13).

It can only be combined with either v4 PKESK or v3 SKESK.

When communicating with a mix of recipients, some of whose OpenPGP software only supports OpenPGP version 4, then this mechanism must be used.

## Symmetric encryption, SEIPD

This symmetric aspect of OpenPGP's encryption is entirely independent of OpenPGP keys. It only deals with symmetric keys (*session keys* and *message keys*)

## Handling session keys with "ESK"

This is a family of mechanisms for dealing with symmetric key material. It has two branches:

- one that deals with asymmetric OpenPGP key material, and
- (a less commonly used) one that doesn't use OpenPGP asymmetric key material, but instead uses passphrases to protect the symmetric key material.

## Advanced topics

### Encrypt for multiple/single subkey per certificate?

### "Negotiating" algorithms based on recipients preference subpackets

#### Prevent "downgrade" -> Policy

### Implications of how a recipient cert is "addressed" (fingerprint/key-ID vs. user-ID) (preferences, expiration, revocation)

### AEAD modes: GCM

```{admonition} TODO
:class: warning

Produce text around discussion: https://mailarchive.ietf.org/arch/msg/openpgp/ZTYD5VJsG1k2jJBbn5zIAf5o7d4/
```

## Zooming in: Packet structure

### Encryption yields a 'wrapped' openpgp packet stream

### SKESK

Also see https://flowcrypt.com/docs/guide/send-and-receive/send-password-protected-emails.html