I have had some fascination with public/private-key cryptography for some time and even managed to generate a key-pair back in 2014 and uploaded my public key to the MIT server (and more recently OpenPGP key server). More recently I've played around with it because of the soon-to-be implementation of QR Codes being introduced in my province to validate vaccination status. I've been trying to wrap my head around how it will be done and even created a test-bed using various PGP apps I've downloaded, but I had some extra questions. I'm sure someone here can answer it.
First, the QR code vaccine status. My understanding is that the Health Ministry in my province will be signing a block of text containing information like your name, health card number, vaccination dates, etc. When I used my PGP software and signed my text block with my private key, I would see the text still in "plain-text" but there would be a signature tagged on afterward. If I modified the text at all, when I tried to authenticate it would show it was tampered with.
So I am assuming our Health Ministry will be issuing us basically a signed block of text using their private key, turned into a QR code. I signed some text with my private key, converted the block into QR codes, then scanned them back to retrieve the text, dumped the text back into PGP and authenticated with my public key and it proved I was the one that signed the original message and that it wasn't tampered with.
This would be a quick way for people to prove they do not have fake vaccine records, as the information presented at public events/restaurants/etc. would have to be authenticated by a highly publicized Health Ministry public key. And you could only get your vaccine record downloaded and properly signed by government using a private key which supposedly will be highly secured on their servers.
Now, my question is this... I want to ENCRYPT the text block with my PRIVATE key as well so that the plain-text isn't immediately obvious. Encrypting in and of itself would automatically authenticate because anyone who wanted to see my message could only see it if they used my PUBLIC key on it, right? Why do I need to "sign" it and have a signature tagged after my plain-text message? Could I not just encrypt the whole message?
My PGP software gives me the option of using my PRIVATE key to sign but the software also asks for a recipient's PUBLIC key, assuming that I want to only send the message to that specific person (then they use their PRIVATE key to unlock it, and my PUBLIC key to authenticate it came from me). Is this a limitation with the software I'm using? It will let me SIGN stuff but includes the original message in plain-text. When I want to ENCRYPT it will *NOT* allow me to choose any private keys to encrypt it with... only PUBLIC keys are available.
I thought maybe a way to get around this is to have 2 key-pairs... one for signing and one for encryption purposes. So the one used for encryption would use the PUBLIC key to encrypt, but recipients would need the corresponding PRIVATE key to decrypt... meaning I would have in fact reverse roles... I'd keep the encryption PUBLIC key secret and share the encryption PRIVATE key with everyone out there so they could decrypt any messages I generate.
Also, the second key-pair for signing only, I would use as normal to sign the message, so everyone can authenticate the message has not been tampered with by authenticating it using my Signing PUBLIC key (whose PRIVATE counterpart was used to sign the message).
I don't know if this is just a software issue or I'm thinking about this all wrong. But this is all because my software doesn't let me encrypt messages with my private key, it only lets me sign them with my private key and so the message is retained in plain-text. It only gives me the option to encrypt with someone else's public key... which automatically targets the message to them only. And to get around that I have to make another key-pair which essentially pretends everyone "out there", aka "the public", is one person and so I have to share the "private" key with everybody instead, and keep the public key for myself, which seems kind of backwards.
Any help wrapping my head around this would be great. I can post some examples too if needed on my trials and errors playing around with it.