minipgp6
A very small implementation of a modern subset of OpenPGP 🔐🤏
Simple, secure, standards-based
A very small implementation of a modern subset of OpenPGP
Simple, secure, standards-based
minipgp6 is a very lean OpenPGP software stack. It implements a modern subset of the OpenPGP standard as specified in RFC 9580.
It intentionally doesn't aim for backward compatibility with many currently common OpenPGP formats in favor of simplicity. However, all modern OpenPGP implementations will interoperate seamlessly with the formats minipgp6 supports.
This minimalist project will:
- Implement a carefully delineated and practically useful modern subset of OpenPGP, while dropping much of the PGP format's historical complexity
- Enable application developers to integrate modern OpenPGP functionality with a small footprint
- Implement a small "Stateless OpenPGP (SOP)" CLI application
- Explore modular OpenPGP library design
- Aim for easy readability for any readers, including for audits
As an explicitly forward-looking participant in the OpenPGP space, minipgp6 hopes to help the ecosystem to deliberately phase out support for old formats (in contexts where this doesn't hurt users).
Supported Mechanisms
minipgp6 will support the "mandatory-to-implement" mechanisms from RFC 9580 for modern v6 keys and signatures, as well as the AEAD-based SEIPDv2 encryption format.
As a result, minipgp6 will rely on the following cryptographic building blocks:
- Signatures based on Ed25519 (and SHA2-256 hashes)
- Hybrid SEIPDv2 encryption, using
- X25519 for asymmetric session key encryption, and
- AES-128 with the OCB AEAD mode for symmetric encryption of data packets
- SHA2-256 fingerprints
- Private key material can be optionally passphrase-locked using Argon2 and OCB AEAD
The core of minipgp6 will only handle "binary" OpenPGP artifacts (ASCII armor support will not part of the core library).
Interop with other libraries
All modern OpenPGP libraries will be able to interoperate with the formats that minipgp6 supports: Bouncy Castle Java (since version 1.82), GopenPGP (since version 3.0.0), OpenPGP.js (since version 6.0.0), PGPainless (starting with version 2.0.0). Sequoia-PGP (since version 2.0.0), rnp (since version 0.18)1.
minipgp6 is funded through NGI0 Core, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme.
-
Only the (historically important) GnuPG project has signaled that it will not support RFC 9580 formats, for the time being. GnuPG has opted to instead fork the OpenPGP standard and go its own incompatible path. Thus, GnuPG won't be able to interoperate with minipgp6. ↩︎