Skip to content
A high-level OpenPGP library
Branch: master
Clone or download

README.md

GopenPGP

GopenPGP is a high-level OpenPGP library built on top of a fork of the golang crypto library.

Table of Contents

Download/Install

  1. Run go get -u github.com/ProtonMail/gopenpgp, or manually git clone this repository into $GOPATH/src/github.com/ProtonMail/gopenpgp.

  2. Install Glide:

    curl https://glide.sh/get | sh
  3. Install dependencies using glide:

    cd $GOPATH/src/github.com/ProtonMail/gopenpgp
    glide install

Documentation

https://godoc.org/github.com/ProtonMail/gopenpgp/crypto

Using with Go Mobile

Setup Go Mobile and build/bind the source code:

Go Mobile repo: https://github.com/golang/mobile Go Mobile wiki: https://github.com/golang/go/wiki/Mobile

  1. Install Go: brew install go

  2. Install Gomobile: go get -u golang.org/x/mobile/cmd/gomobile

  3. Install Gobind: go install golang.org/x/mobile/cmd/gobind

  4. Install Android SDK and NDK using Android Studio

  5. Set env: export ANDROID_HOME="/AndroidSDK" (path to your SDK)

  6. Init gomobile: gomobile init -ndk /AndroidSDK/ndk-bundle/ (path to your NDK)

  7. Build examples: gomobile build -target=android #or ios

    Bind examples: gomobile bind -target ios -o frameworks/name.framework gomobile bind -target android

    The bind will create framework for iOS and jar&aar files for Android (x86_64 and ARM).

Other notes

If you wish to use build.sh, you may need to modify the paths in it.

Interfacing between Go and Swift: https://medium.com/@matryer/tutorial-calling-go-code-from-swift-on-ios-and-vice-versa-with-gomobile-7925620c17a4.

Examples

Set up

import "github.com/ProtonMail/gopenpgp/crypto"

Encrypt and decrypt

Encryption and decryption will use the AES256 algorithm by default.

Encrypt / Decrypt with password

var pgp = crypto.GopenPGP{}

const password = "my secret password"

// Encrypt data with password
armor, err := pgp.EncryptMessageWithPassword("my message", password)

// Decrypt data with password
message, err := pgp.DecryptMessageWithPassword(armor, password)

Encrypt / Decrypt with PGP keys

// put keys in backtick (``) to avoid errors caused by spaces or tabs
const pubkey = `-----BEGIN PGP PUBLIC KEY BLOCK-----
...
-----END PGP PUBLIC KEY BLOCK-----`

const privkey = `-----BEGIN PGP PRIVATE KEY BLOCK-----
...
-----END PGP PRIVATE KEY BLOCK-----` // encrypted private key

const passphrase = `the passphrase of the private key` // what the privKey is encrypted with

publicKeyRing, err := crypto.ReadArmoredKeyRing(strings.NewReader(pubkey))

privateKeyRing, err := crypto.ReadArmoredKeyRing(strings.NewReader(privkey))
privateKeyRing.Unlock([]byte(passphrase)) // if private key is locked with passphrase

// encrypt message using public key, can be optionally signed using private key
armor, err := publicKeyRing.EncryptMessage("plain text", privateKeyRing)

// decrypt armored encrypted message using the private key
signedText, err := privateKeyRing.DecryptMessage(armor)
plainText = signedText.String

// verify signature (optional)
signed = signedText.Signed.IsBy(publicKeyRing)

Generate key

Keys are generated with the GenerateKey function, that returns the armored key as a string and a potential error. The library supports RSA with different key lengths or Curve25519 keys.

var pgp = crypto.GopenPGP{}

const (
  localPart = "name.surname"
  domain = "example.com"
  passphrase = "LongSecret"
  rsaBits = 2048
  ecBits = 256
)

// RSA
rsaKey, err := pgp.GenerateKey(localPart, domain, passphrase, "rsa", rsaBits)

// Curve25519
ecKey, err := pgp.GenerateKey(localPart, domain, passphrase, "x25519", ecBits)

Sign plain text messages

To sign plain text data either an unlocked private keyring or a passphrase must be provided. The output is an armored signature.

const privkey = `-----BEGIN PGP PRIVATE KEY BLOCK-----
...
-----END PGP PRIVATE KEY BLOCK-----` // encrypted private key
passphrase = "LongSecret"
const trimNewlines = false

signingKeyRing, err := crypto.ReadArmoredKeyRing(strings.NewReader(privkey))

signature, err := signingKeyRing.SignTextDetached(plaintext, passphrase, trimNewlines)
// passphrase is optional if the key is already unlocked

To verify a signature either private or public keyring can be provided. The newlines in the text are never trimmed in the verification process. The function outputs a bool, if the verification fails verified will be false, and the error will be not nil.

const pubkey = `-----BEGIN PGP PUBLIC KEY BLOCK-----
...
-----END PGP PUBLIC KEY BLOCK-----`

const signature = `-----BEGIN PGP SIGNATURE-----
...
-----END PGP SIGNATURE-----`

const verifyTime = 0
const trimNewlines = false

signingKeyRing, err := crypto.ReadArmoredKeyRing(strings.NewReader(pubkey))

verified, err := signingKeyRing.VerifyTextDetachedSig(signature, signedPlainText, verifyTime, trimNewlines)

Detached signatures for binary data

To sign binary data either an unlocked private keyring or a passphrase must be provided. The output is an armored signature.

const privkey = `-----BEGIN PGP PRIVATE KEY BLOCK-----
...
-----END PGP PRIVATE KEY BLOCK-----` // encrypted private key
passphrase = "LongSecret"

signingKeyRing, err := crypto.ReadArmoredKeyRing(strings.NewReader(privkey))

signature, err := signingKeyRing.SignBinDetached(data, passphrase)
// passphrase is optional if the key is already unlocked

To verify a signature either private or public keyring can be provided. The newlines in the text are never trimmed in the verification process. The function outputs a bool, if the verification fails verified will be false, and the error will be not nil.

const pubkey = `-----BEGIN PGP PUBLIC KEY BLOCK-----
...
-----END PGP PUBLIC KEY BLOCK-----`

const signature = `-----BEGIN PGP SIGNATURE-----
...
-----END PGP SIGNATURE-----`

const verifyTime = 0

signingKeyRing, err := crypto.ReadArmoredKeyRing(strings.NewReader(pubkey))

verified, err := signingKeyRing.VerifyBinDetachedSig(signature, data, verifyTime)
You can’t perform that action at this time.