+.SS "Key data"
+There are two basic formats for keys: the
+.I text
+encoding and the
+.I binary
+encoding. The usual form for keys in a keyring is the text encoding;
+however, keys are represented as binary prior to being encrypted.
+.PP
+The textual form of a key is a comma-separated sequence of
+.IR attributes ,
+followed by a
+.RB ` : '
+and the actual key data. The attributes are as follows.
+.TP
+.BR "binary" ", " "mp" ", " "struct" ", " "encrypt" ", " "string" ", " "ec"
+The key encoding type. This describes the format of the actual key
+data.
+.TP
+.B "symmetric" ", " "private" ", " "public" ", " "shared"
+The kind of key this is. This field can be used to filter public keys
+from private ones.
+.TP
+.B "burn"
+The key is sensitive; it should be stored in secure memory, and properly
+deleted after use.
+.PP
+As mentioned, the format of the key data itself following the colon
+depends on the encoding type. This works as follows.
+.TP
+.B "binary"
+The binary data is base64 encoded (RFC2045).
+.TP
+.B "mp"
+The integer is a string of decimal digits.
+.TP
+.B "struct"
+The representation is a
+.RB ` [ '
+followed by a sequence of
+.IB name = value
+pairs separated by
+.RB ` , ',
+and a final
+.RB ` ] '.
+The names are the subkey labels; the values are the encodings of the
+individual subkeys.
+.TP
+.B "string"
+The string is form-urlencoded (RFC1866).
+.TP
+.B "ec"
+The point at infinity is denoted
+.BR inf ;
+otherwise the point is written as a pair of hexadecimal integers, each
+preceded by
+.B 0x
+and separated by
+.RB ` , '.
+.TP
+.B "encrypt"
+The actual key data is encoded as binary and encrypted; the ciphertext
+is base64 encoded (RFC2045). Encryption works as follows. Let the
+passphrase be
+.I P
+and the plaintext be
+.IR m .
+A 160-bit nonce
+.I N
+is chosen at random. Let
+.IR K \ =\ N \ ||\ K .
+Generate 320 bits of output from RIPEMD-160 in
+MGF1 mode with seed
+.IR K ;
+let
+.I K\*(usE\*(ue
+be the half and
+.I K\*(usT\*(ue
+be the second.
+Encrypt the message
+.I m
+using Blowfish in CBC mode, with ciphertext stealing if necessary, using
+a zero IV and the key
+.IR K\*(usE\*(ue ,
+giving the ciphertext
+.IR y\*(us0\*(ue .
+Let \*(*t be the 160-bit tag obtained from RIPEMD-160 in HMAC mode on
+the message
+.I y\*(us0\*(ue
+and with key
+.IR K\*(usT\*(ue .
+The ciphertext is then
+.IR y \ =\ N \ ||\ \*(*t\ ||\ y\*(us0\*(ue .
+This encryption scheme can be shown to provide integrity of ciphertexts
+and indistinguishability against chosen-ciphertext attack against an
+adversary who doesn't know
+.IR P .