Obnamblog2025 Obnam 3: OpenPGP software key credential
  1. Goal
  2. Plan
  3. Notes
  4. Summary
  5. Comments?

Goal

Last time I added some scaffolding to run a SOP implementation. The time before that I rushed into implementing a SOP based credential, but I failed, because I was trying to achieve too much in one session, and I needed the scaffolding to happen first.

Today I'll try again to implement a SOP based credential. Technically, it will be a credential using an OpenPGP software key. This is in contrast to an OpenPGP key on hardware card, such as a Nitrokey or Yubikey, which makes key extraction quite a lot more difficult to an attacker than reading a file.

Plan

  • Add a type for storing a credential as a chunk. This will be similar to struct Chunk in src/chunk.rs. A credential chunk has different internal structure, and at least for now I want to keep it separate from a data chunk. If nothing else, the credential chunk uses different encryption that a data chunk.
  • Add unit tests for encrypting and decrypting credential chunks using a SOP implementation.

That's all. It's a hot summer day and I don't want to fail to achieve everything.

Notes

  • A credential chunk will have the same chunk metadata as a data chunk, but instead of a ciphertext, it will have an encrypted credential.
  • There will be many kinds of credentials. The on-disk storage stores the type of credential and the client key encrypted using the method for that credential type. As Rust:
struct Credential {
    kind: CredentialKind,
    client_key: Vec<u8>,
}
  • To create a credential, we need the client key in plaintext, and whatever is needed for the type of credential we're creating. This probably means using a trait.
  • To decrypt a credential, we need the encrypted client key, the credential type, and whatever is needed for that type.
  • Basically, the user specifies all the kinds of credentials they want to use, and whatever keys or passphrases are needed for each credential. To decrypt, the software then tries every credential specified by the user to find the one that works.
  • Implemented the OpenPGP software key credential itself.
  • Implemented the credential chunk.

Summary

I reached my goal today. I have implemented an OpenPGP software key credential and tests to verify it can encrypt a client key and decrypt it back again.

Comments?

If you have feedback on this development session, please use the following fediverse thread: https://toot.liw.fi/@liw/114840688883532629.