Skip to main content

OpenPGP sealed-per-recipient MRE provider for Swarmauri

Project description

Swarmauri Logo

PyPI - Downloads Hits PyPI - Python Version PyPI - License PyPI - swarmauri_mre_crypto_pgp Discord

Swarmauri MRE Crypto PGP

OpenPGP-based multi-recipient encryption providers that implement the IMreCrypto contract. The package includes three concrete providers, all of which rely on PGPy for public-key encryption. Providers that wrap a shared content-encryption key (CEK) additionally require cryptography.

Highlights

  • PGPSealMreCrypto ? Implements the sealed_per_recipient mode. Each recipient receives a sealed copy of the plaintext. Associated data (AAD) is not supported and re-wrapping new recipients requires the original plaintext via opts["plaintext"].
  • PGPSealedCekMreCrypto ? Implements the sealed_cek+aead mode with an AES-256-GCM payload. The CEK is sealed per recipient and can be re-used to add or rotate recipients without decrypting the payload when opts["cek"] or opts["opener_identities"] are supplied.
  • PGPMreCrypto ? Composite provider supporting both enc_once+per_recipient_header (AES-256-GCM payload with OpenPGP headers) and sealed_per_recipient. Re-wrapping shared-payload envelopes requires the CEK via opts["cek"] or a managing private key supplied through opts["manage_key"].

All providers fingerprint OpenPGP keys to derive recipient identifiers. Public keys can be supplied as live PGPKey objects or ASCII-armored blobs using the following recipient KeyRef forms:

  • {"kind": "pgpy_pub", "pub": pgpy.PGPKey}
  • {"kind": "pgpy_pub_armored", "pub": "-----BEGIN PGP PUBLIC KEY-----"}
  • {"kind": "pgpy_key", "key": pgpy.PGPKey} (sealed CEK helper that lifts the public subkey from a combined key object)

Use these identity KeyRef forms when opening envelopes:

  • {"kind": "pgpy_priv", "priv": pgpy.PGPKey}
  • {"kind": "pgpy_priv_armored", "priv": "-----BEGIN PGP PRIVATE KEY-----"}
  • {"kind": "pgpy_key", "key": pgpy.PGPKey} (sealed CEK provider)
  • {"kind": "pgpy_key_armored", "key": "-----BEGIN PGP PRIVATE KEY-----"}

Private keys may be locked; pass the unlocking secret in opts["passphrase"].

Installation

Install the provider with your preferred packaging tool:

# pip
pip install swarmauri_mre_crypto_pgp

# Poetry
poetry add swarmauri_mre_crypto_pgp

# uv (project dependency)
uv add swarmauri_mre_crypto_pgp

# uv (virtualenv-only install)
uv pip install swarmauri_mre_crypto_pgp

Usage

import asyncio
from pgpy import PGPKey, PGPUID
from pgpy.constants import (
    CompressionAlgorithm,
    HashAlgorithm,
    KeyFlags,
    PubKeyAlgorithm,
    SymmetricKeyAlgorithm,
)
from swarmauri_mre_crypto_pgp import PGPMreCrypto


async def main():
    # Generate an OpenPGP key pair with pgpy
    key = PGPKey.new(PubKeyAlgorithm.RSAEncryptOrSign, 2048)
    uid = PGPUID.new("Test User", email="test@example.com")
    key.add_uid(
        uid,
        usage={KeyFlags.EncryptCommunications},
        hashes=[HashAlgorithm.SHA256],
        ciphers=[SymmetricKeyAlgorithm.AES256],
        compression=[CompressionAlgorithm.ZLIB],
    )

    # Create references understood by the provider
    pub_ref = {"kind": "pgpy_pub", "pub": key.pubkey}
    priv_ref = {"kind": "pgpy_priv", "priv": key}

    # Encrypt for many and open with the private key
    mre = PGPMreCrypto()
    pt = b"hello"
    env = await mre.encrypt_for_many([pub_ref], pt)
    rt = await mre.open_for(priv_ref, env)
    print(rt)


if __name__ == "__main__":
    asyncio.run(main())

Selecting modes

PGPMreCrypto defaults to MreMode.ENC_ONCE_HEADERS. Pass mode=MreMode.SEALED_PER_RECIPIENT (or the string value) to switch to the sealed-per-recipient variant. PGPSealedCekMreCrypto always operates in the sealed_cek+aead mode and will raise when the envelope mode or algorithms do not match the expected values.

Re-wrapping envelopes

  • Sealed per recipient ? Re-wrapping with additional recipients requires opts["plaintext"] so the providers can seal the original payload again.
  • Shared CEK (enc_once / sealed_cek) ? Supply either the decrypted CEK via opts["cek"] or provide identities capable of opening the envelope through opts["manage_key"] (composite provider) or opts["opener_identities"] (sealed CEK provider). Enable payload rotation with opts["rotate_payload_on_revoke"] to generate a fresh CEK when removing recipients.

Entry point

Providers are registered under the swarmauri.mre_cryptos entry point as PGPSealMreCrypto, PGPSealedCekMreCrypto, and PGPMreCrypto.

Want to help?

If you want to contribute to swarmauri-sdk, read up on our guidelines for contributing that will help you get started.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

swarmauri_mre_crypto_pgp-0.11.0.dev1.tar.gz (16.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

swarmauri_mre_crypto_pgp-0.11.0.dev1-py3-none-any.whl (18.4 kB view details)

Uploaded Python 3

File details

Details for the file swarmauri_mre_crypto_pgp-0.11.0.dev1.tar.gz.

File metadata

  • Download URL: swarmauri_mre_crypto_pgp-0.11.0.dev1.tar.gz
  • Upload date:
  • Size: 16.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_mre_crypto_pgp-0.11.0.dev1.tar.gz
Algorithm Hash digest
SHA256 295d2696d0c9321f3beb00bd078cda3b4a5d6b3a4aca70237227e1f4b6eb5cb0
MD5 8c1cdfa3d24eb0d457e6301b5f34b803
BLAKE2b-256 419ccc7de02ea1305b504e37799505a1a1ae58e0ebd6459ab00c90fcae59f97a

See more details on using hashes here.

File details

Details for the file swarmauri_mre_crypto_pgp-0.11.0.dev1-py3-none-any.whl.

File metadata

  • Download URL: swarmauri_mre_crypto_pgp-0.11.0.dev1-py3-none-any.whl
  • Upload date:
  • Size: 18.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_mre_crypto_pgp-0.11.0.dev1-py3-none-any.whl
Algorithm Hash digest
SHA256 e56cb0f43306362a9959423f2b9445c8dd8e195e1245b3717775000400fb2887
MD5 dd304b97049776ec7aea00124c97e211
BLAKE2b-256 5e19410e98aa0ba78bf7f75097ffd456273bf42789b943a9c0c9c30ed328b306

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page