Ward and Eric were chatting about handling secrets in Wiki. Jogging my memory about post by George Reilly about using @yesthattom's Blackbox and Paperkey to manage secrets in Git and CI: blog
Typical PGP Message (Figure from Network Security: Email Security, PKI, Tuomas Aura)
> Only the recipients have the private keys (in theory, at least). Therefore, only a recipient can decrypt the encrypted file. > To decrypt the file for a recipient, GPG: > finds the encrypted session key packet whose keyID matches the recipient’s public key decrypts the session key using the recipient’s private key decrypts the encrypted, compressed data using the session key decompresses the decrypted data verifies the signature, if present writes the cleartext > This is a hybrid scheme. Symmetric encryption is a lot faster than public key/private key asymmetric encryption, so it’s used to encrypt the actual data. Furthermore, if the data were entirely encrypted with a recipient’s public key, then encrypting for N recipients would mean that the size of the result would be proportional to the number of recipients times the length of the original data. With the hybrid scheme, the header grows a few hundred bytes for each recipient but the data is encrypted only once, with faster encryption. > Blackbox encrypts a registered file with all of the administrators as the recipients, so any administrator can decrypt the file.