Rename public/privateKeys to encryption/decryption/signing/verificationKeys (#1299)

- Rename `publicKeys` to `encryptionKeys` or `verificationKeys` depending on their use - Rename `privateKeys` to `decryptionKeys` or `signingKeys` depending on their use - Similarly, rename `toUserIDs` to `encryptionUserIDs` and `fromUserIDs` to `signingUserIDs`
2021-05-17 19:56:28 +03:00 · 2021-05-17 19:56:28 +03:00 · 6299c6dd77
commit 6299c6dd77
parent 93b77669bc
18 changed files with 513 additions and 508 deletions
--- a/openpgp.d.ts
+++ b/openpgp.d.ts
@ -14,7 +14,7 @@ export function readKey(options: { binaryKey: Uint8Array, config?: PartialConfig
 export function readKeys(options: { armoredKeys: string, config?: PartialConfig }): Promise<Key[]>;
 export function readKeys(options: { binaryKeys: Uint8Array, config?: PartialConfig }): Promise<Key[]>;
 export function generateKey(options: KeyOptions): Promise<KeyPair>;
-export function generateSessionKey(options: { publicKeys: Key[], date?: Date, toUserIDs?: UserID[], config?: PartialConfig }): Promise<SessionKey>;
+export function generateSessionKey(options: { encryptionKeys: Key[], date?: Date, encryptionUserIDs?: UserID[], config?: PartialConfig }): Promise<SessionKey>;
 export function decryptKey(options: { privateKey: Key; passphrase?: string | string[]; config?: PartialConfig }): Promise<Key>;
 export function encryptKey(options: { privateKey: Key; passphrase?: string | string[]; config?: PartialConfig }): Promise<Key>;
 export function reformatKey(options: { privateKey: Key; userIDs?: UserID|UserID[]; passphrase?: string; keyExpirationTime?: number; config?: PartialConfig }): Promise<KeyPair>;
@ -212,14 +212,14 @@ export class Message<T extends MaybeStream<Data>> {
  public armor(config?: Config): string;
  /** Decrypt the message
-      @param privateKey private key with decrypted secret data
+      @param decryptionKeys array of private keys with decrypted secret data
  */
-  public decrypt(privateKeys?: Key[], passwords?: string[], sessionKeys?: SessionKey[], config?: Config): Promise<Message<MaybeStream<Data>>>;
+  public decrypt(decryptionKeys?: Key[], passwords?: string[], sessionKeys?: SessionKey[], config?: Config): Promise<Message<MaybeStream<Data>>>;
  /** Encrypt the message
-      @param keys array of keys, used to encrypt the message
+      @param encryptionKeys array of public keys, used to encrypt the message
  */
-  public encrypt(keys?: Key[],  passwords?: string[], sessionKeys?: SessionKey[], wildcard?: boolean, encryptionKeyIDs?: KeyID[], date?: Date, userIDs?: UserID[], config?: Config): Promise<Message<MaybeStream<Data>>>;
+  public encrypt(encryptionKeys?: Key[],  passwords?: string[], sessionKeys?: SessionKey[], wildcard?: boolean, encryptionKeyIDs?: KeyID[], date?: Date, userIDs?: UserID[], config?: Config): Promise<Message<MaybeStream<Data>>>;
  /** Returns the key IDs of the keys to which the session key is encrypted
   */
@ -240,18 +240,18 @@ export class Message<T extends MaybeStream<Data>> {
  public getFilename(): string | null;
  /** Sign the message (the literal data packet of the message)
-      @param privateKey private keys with decrypted secret key data for signing
+      @param signingKeys private keys with decrypted secret key data for signing
  */
-  public sign(privateKey: Key[], signature?: Signature, signingKeyIDs?: KeyID[], date?: Date, userIDs?: UserID[], config?: Config): Promise<Message<T>>;
+  public sign(signingKeys: Key[], signature?: Signature, signingKeyIDs?: KeyID[], date?: Date, userIDs?: UserID[], config?: Config): Promise<Message<T>>;
  /** Unwrap compressed message
   */
  public unwrapCompressed(): Message<T>;
  /** Verify message signatures
-      @param keys array of keys to verify signatures
+      @param verificationKeys array of public keys to verify signatures
  */
-  public verify(keys: Key[], date?: Date, config?: Config): Promise<VerificationResult[]>;
+  public verify(verificationKeys: Key[], date?: Date, config?: Config): Promise<VerificationResult[]>;
  /**
   * Append signature to unencrypted message object
@ -525,9 +525,9 @@ interface EncryptOptions {
  /** message to be encrypted as created by createMessage */
  message: Message<MaybeStream<Data>>;
  /** (optional) array of keys or single key, used to encrypt the message */
-  publicKeys?: Key | Key[];
+  encryptionKeys?: Key | Key[];
  /** (optional) private keys for signing. If omitted message will not be signed */
-  privateKeys?: Key | Key[];
+  signingKeys?: Key | Key[];
  /** (optional) array of passwords or a single password to encrypt the message */
  passwords?: string | string[];
  /** (optional) session key in the form: { data:Uint8Array, algorithm:String } */
@ -540,10 +540,14 @@ interface EncryptOptions {
  date?: Date;
  /** (optional) use a key ID of 0 instead of the public key IDs */
  wildcard?: boolean;
-  /** (optional) user ID to sign with, e.g. { name:'Steve Sender', email:'steve@openpgp.org' } */
+  /** (optional) Array of key IDs to use for signing. Each `signingKeyIDs[i]` corresponds to `signingKeys[i]` */
-  fromUserID?: UserID;
+  signingKeyIDs?: KeyID[];
-  /** (optional) user ID to encrypt for, e.g. { name:'Robert Receiver', email:'robert@openpgp.org' } */
+  /** (optional) Array of key IDs to use for encryption. Each `encryptionKeyIDs[i]` corresponds to `encryptionKeys[i]`*/
-  toUserID?: UserID;
+  encryptionKeyIDs?: KeyID[];
  /** (optional) Array of user IDs to sign with, e.g. { name:'Steve Sender', email:'steve@openpgp.org' } */
  signingUserIDs?: UserID[];
  /** (optional) array of user IDs to encrypt for, e.g. { name:'Robert Receiver', email:'robert@openpgp.org' } */
  encryptionUserIDs?: UserID[];
  config?: PartialConfig;
 }
@ -551,13 +555,13 @@ interface DecryptOptions {
  /** the message object with the encrypted data */
  message: Message<MaybeStream<Data>>;
  /** (optional) private keys with decrypted secret key data or session key */
-  privateKeys?: Key | Key[];
+  decryptionKeys?: Key | Key[];
  /** (optional) passwords to decrypt the message */
  passwords?: string | string[];
  /** (optional) session keys in the form: { data:Uint8Array, algorithm:String } */
  sessionKeys?: SessionKey | SessionKey[];
  /** (optional) array of public keys or single key, to verify signatures */
-  publicKeys?: Key | Key[];
+  verificationKeys?: Key | Key[];
  /** (optional) whether data decryption should fail if the message is not signed with the provided publicKeys */
  expectSigned?: boolean;
  /** (optional) whether to return data as a string(Stream) or Uint8Array(Stream). If 'utf8' (the default), also normalize newlines. */
@ -571,12 +575,13 @@ interface DecryptOptions {
 interface SignOptions {
  message: CleartextMessage | Message<MaybeStream<Data>>;
-  privateKeys?: Key | Key[];
+  signingKeys?: Key | Key[];
  armor?: boolean;
  dataType?: DataPacketType;
  detached?: boolean;
  signingKeyIDs?: KeyID[];
  date?: Date;
-  fromUserID?: UserID;
+  signingUserIDs?: UserID[];
  config?: PartialConfig;
 }
@ -584,7 +589,7 @@ interface VerifyOptions {
  /** (cleartext) message object with signatures */
  message: CleartextMessage | Message<MaybeStream<Data>>;
  /** array of publicKeys or single key, to verify signatures */
-  publicKeys: Key | Key[];
+  verificationKeys: Key | Key[];
  /** (optional) whether verification should throw if the message is not signed with the provided publicKeys */
  expectSigned?: boolean;
  /** (optional) whether to return data as a string(Stream) or Uint8Array(Stream). If 'utf8' (the default), also normalize newlines. */
--- a/src/message.js
+++ b/src/message.js
@ -104,15 +104,15 @@ export class Message {
  /**
   * Decrypt the message. Either a private key, a session key, or a password must be specified.
-   * @param {Array<Key>} [privateKeys] - Private keys with decrypted secret data
+   * @param {Array<Key>} [decryptionKeys] - Private keys with decrypted secret data
   * @param {Array<String>} [passwords] - Passwords used to decrypt
   * @param {Array<Object>} [sessionKeys] - Session keys in the form: { data:Uint8Array, algorithm:String, [aeadAlgorithm:String] }
   * @param {Object} [config] - Full configuration, defaults to openpgp.config
   * @returns {Promise<Message>} New message with decrypted content.
   * @async
   */
-  async decrypt(privateKeys, passwords, sessionKeys, config = defaultConfig) {
+  async decrypt(decryptionKeys, passwords, sessionKeys, config = defaultConfig) {
-    const keyObjs = sessionKeys || await this.decryptSessionKeys(privateKeys, passwords, config);
+    const keyObjs = sessionKeys || await this.decryptSessionKeys(decryptionKeys, passwords, config);
    const symEncryptedPacketlist = this.packets.filterByTag(
      enums.packet.symmetricallyEncryptedData,
@ -155,7 +155,7 @@ export class Message {
  /**
   * Decrypt encrypted session keys either with private keys or passwords.
-   * @param {Array<Key>} [privateKeys] - Private keys with decrypted secret data
+   * @param {Array<Key>} [decryptionKeys] - Private keys with decrypted secret data
   * @param {Array<String>} [passwords] - Passwords used to decrypt
   * @param {Object} [config] - Full configuration, defaults to openpgp.config
   * @returns {Promise<Array<{
@ -164,7 +164,7 @@ export class Message {
   * }>>} array of object with potential sessionKey, algorithm pairs
   * @async
   */
-  async decryptSessionKeys(privateKeys, passwords, config = defaultConfig) {
+  async decryptSessionKeys(decryptionKeys, passwords, config = defaultConfig) {
    let keyPackets = [];
    let exception;
@ -189,13 +189,13 @@ export class Message {
          }
        }));
      }));
-    } else if (privateKeys) {
+    } else if (decryptionKeys) {
      const pkESKeyPacketlist = this.packets.filterByTag(enums.packet.publicKeyEncryptedSessionKey);
      if (pkESKeyPacketlist.length === 0) {
        throw new Error('No public key encrypted session key packet found.');
      }
      await Promise.all(pkESKeyPacketlist.map(async function(keyPacket) {
-        await Promise.all(privateKeys.map(async function(privateKey) {
+        await Promise.all(decryptionKeys.map(async function(decryptionKey) {
          let algos = [
            enums.symmetric.aes256, // Old OpenPGP.js default fallback
            enums.symmetric.aes128, // RFC4880bis fallback
@ -203,23 +203,23 @@ export class Message {
            enums.symmetric.cast5 // Golang OpenPGP fallback
          ];
          try {
-            const primaryUser = await privateKey.getPrimaryUser(undefined, undefined, config); // TODO: Pass userID from somewhere.
+            const primaryUser = await decryptionKey.getPrimaryUser(undefined, undefined, config); // TODO: Pass userID from somewhere.
            if (primaryUser.selfCertification.preferredSymmetricAlgorithms) {
              algos = algos.concat(primaryUser.selfCertification.preferredSymmetricAlgorithms);
            }
          } catch (e) {}
          // do not check key expiration to allow decryption of old messages
-          const privateKeyPackets = (await privateKey.getDecryptionKeys(keyPacket.publicKeyID, null, undefined, config)).map(key => key.keyPacket);
+          const decryptionKeyPackets = (await decryptionKey.getDecryptionKeys(keyPacket.publicKeyID, null, undefined, config)).map(key => key.keyPacket);
-          await Promise.all(privateKeyPackets.map(async function(privateKeyPacket) {
+          await Promise.all(decryptionKeyPackets.map(async function(decryptionKeyPacket) {
-            if (!privateKeyPacket || privateKeyPacket.isDummy()) {
+            if (!decryptionKeyPacket || decryptionKeyPacket.isDummy()) {
              return;
            }
-            if (!privateKeyPacket.isDecrypted()) {
+            if (!decryptionKeyPacket.isDecrypted()) {
-              throw new Error('Private key is not decrypted.');
+              throw new Error('Decryption key is not decrypted.');
            }
            try {
-              await keyPacket.decrypt(privateKeyPacket);
+              await keyPacket.decrypt(decryptionKeyPacket);
              if (!algos.includes(enums.write(enums.symmetric, keyPacket.sessionKeyAlgorithm))) {
                throw new Error('A non-preferred symmetric algorithm was used.');
              }
@ -290,18 +290,18 @@ export class Message {
  }
  /**
-   * Generate a new session key object, taking the algorithm preferences of the passed public keys into account, if any.
+   * Generate a new session key object, taking the algorithm preferences of the passed encryption keys into account, if any.
-   * @param {Array<Key>} [keys] - Public key(s) to select algorithm preferences for
+   * @param {Array<Key>} [encryptionKeys] - Public key(s) to select algorithm preferences for
   * @param {Date} [date] - Date to select algorithm preferences at
   * @param {Array<Object>} [userIDs] - User IDs to select algorithm preferences for
   * @param {Object} [config] - Full configuration, defaults to openpgp.config
   * @returns {Promise<{ data: Uint8Array, algorithm: String }>} Object with session key data and algorithm.
   * @async
   */
-  static async generateSessionKey(keys = [], date = new Date(), userIDs = [], config = defaultConfig) {
+  static async generateSessionKey(encryptionKeys = [], date = new Date(), userIDs = [], config = defaultConfig) {
-    const algorithm = enums.read(enums.symmetric, await getPreferredAlgo('symmetric', keys, date, userIDs, config));
+    const algorithm = enums.read(enums.symmetric, await getPreferredAlgo('symmetric', encryptionKeys, date, userIDs, config));
-    const aeadAlgorithm = config.aeadProtect && await isAEADSupported(keys, date, userIDs, config) ?
+    const aeadAlgorithm = config.aeadProtect && await isAEADSupported(encryptionKeys, date, userIDs, config) ?
-      enums.read(enums.aead, await getPreferredAlgo('aead', keys, date, userIDs, config)) :
+      enums.read(enums.aead, await getPreferredAlgo('aead', encryptionKeys, date, userIDs, config)) :
      undefined;
    const sessionKeyData = await crypto.generateSessionKey(algorithm);
@ -310,24 +310,24 @@ export class Message {
  /**
   * Encrypt the message either with public keys, passwords, or both at once.
-   * @param {Array<Key>} [keys] - Public key(s) for message encryption
+   * @param {Array<Key>} [encryptionKeys] - Public key(s) for message encryption
   * @param {Array<String>} [passwords] - Password(s) for message encryption
   * @param {Object} [sessionKey] - Session key in the form: { data:Uint8Array, algorithm:String, [aeadAlgorithm:String] }
   * @param {Boolean} [wildcard] - Use a key ID of 0 instead of the public key IDs
-   * @param {Array<module:type/keyid~KeyID>} [encryptionKeyIDs] - Array of key IDs to use for encryption. Each encryptionKeyIDs[i] corresponds to publicKeys[i]
+   * @param {Array<module:type/keyid~KeyID>} [encryptionKeyIDs] - Array of key IDs to use for encryption. Each encryptionKeyIDs[i] corresponds to keys[i]
   * @param {Date} [date] - Override the creation date of the literal package
   * @param {Array<Object>} [userIDs] - User IDs to encrypt for, e.g. [{ name:'Robert Receiver', email:'robert@openpgp.org' }]
   * @param {Object} [config] - Full configuration, defaults to openpgp.config
   * @returns {Promise<Message>} New message with encrypted content.
   * @async
   */
-  async encrypt(keys, passwords, sessionKey, wildcard = false, encryptionKeyIDs = [], date = new Date(), userIDs = [], config = defaultConfig) {
+  async encrypt(encryptionKeys, passwords, sessionKey, wildcard = false, encryptionKeyIDs = [], date = new Date(), userIDs = [], config = defaultConfig) {
    if (sessionKey) {
      if (!util.isUint8Array(sessionKey.data) || !util.isString(sessionKey.algorithm)) {
        throw new Error('Invalid session key for encryption.');
      }
-    } else if (keys && keys.length) {
+    } else if (encryptionKeys && encryptionKeys.length) {
-      sessionKey = await Message.generateSessionKey(keys, date, userIDs, config);
+      sessionKey = await Message.generateSessionKey(encryptionKeys, date, userIDs, config);
    } else if (passwords && passwords.length) {
      sessionKey = await Message.generateSessionKey(undefined, undefined, undefined, config);
    } else {
@ -336,7 +336,7 @@ export class Message {
    const { data: sessionKeyData, algorithm, aeadAlgorithm } = sessionKey;
-    const msg = await Message.encryptSessionKey(sessionKeyData, algorithm, aeadAlgorithm, keys, passwords, wildcard, encryptionKeyIDs, date, userIDs, config);
+    const msg = await Message.encryptSessionKey(sessionKeyData, algorithm, aeadAlgorithm, encryptionKeys, passwords, wildcard, encryptionKeyIDs, date, userIDs, config);
    let symEncryptedPacket;
    if (aeadAlgorithm) {
@ -359,22 +359,22 @@ export class Message {
   * @param {Uint8Array} sessionKey - session key for encryption
   * @param {String} algorithm - session key algorithm
   * @param {String} [aeadAlgorithm] - AEAD algorithm, e.g. 'eax' or 'ocb'
-   * @param {Array<Key>} [publicKeys] - Public key(s) for message encryption
+   * @param {Array<Key>} [encryptionKeys] - Public key(s) for message encryption
   * @param {Array<String>} [passwords] - For message encryption
   * @param {Boolean} [wildcard] - Use a key ID of 0 instead of the public key IDs
-   * @param {Array<module:type/keyid~KeyID>} [encryptionKeyIDs] - Array of key IDs to use for encryption. Each encryptionKeyIDs[i] corresponds to publicKeys[i]
+   * @param {Array<module:type/keyid~KeyID>} [encryptionKeyIDs] - Array of key IDs to use for encryption. Each encryptionKeyIDs[i] corresponds to encryptionKeys[i]
   * @param {Date} [date] - Override the date
   * @param {Array} [userIDs] - User IDs to encrypt for, e.g. [{ name:'Robert Receiver', email:'robert@openpgp.org' }]
   * @param {Object} [config] - Full configuration, defaults to openpgp.config
   * @returns {Promise<Message>} New message with encrypted content.
   * @async
   */
-  static async encryptSessionKey(sessionKey, algorithm, aeadAlgorithm, publicKeys, passwords, wildcard = false, encryptionKeyIDs = [], date = new Date(), userIDs = [], config = defaultConfig) {
+  static async encryptSessionKey(sessionKey, algorithm, aeadAlgorithm, encryptionKeys, passwords, wildcard = false, encryptionKeyIDs = [], date = new Date(), userIDs = [], config = defaultConfig) {
    const packetlist = new PacketList();
-    if (publicKeys) {
+    if (encryptionKeys) {
-      const results = await Promise.all(publicKeys.map(async function(publicKey, i) {
+      const results = await Promise.all(encryptionKeys.map(async function(primaryKey, i) {
-        const encryptionKey = await publicKey.getEncryptionKey(encryptionKeyIDs[i], date, userIDs, config);
+        const encryptionKey = await primaryKey.getEncryptionKey(encryptionKeyIDs[i], date, userIDs, config);
        const pkESKeyPacket = new PublicKeyEncryptedSessionKeyPacket();
        pkESKeyPacket.publicKeyID = wildcard ? KeyID.wildcard() : encryptionKey.getKeyID();
        pkESKeyPacket.publicKeyAlgorithm = encryptionKey.keyPacket.algorithm;
@ -427,16 +427,16 @@ export class Message {
  /**
   * Sign the message (the literal data packet of the message)
-   * @param {Array<Key>} privateKeys - private keys with decrypted secret key data for signing
+   * @param {Array<Key>} signingKeys - private keys with decrypted secret key data for signing
   * @param {Signature} [signature] - Any existing detached signature to add to the message
-   * @param {Array<module:type/keyid~KeyID>} [signingKeyIDs] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to privateKeys[i]
+   * @param {Array<module:type/keyid~KeyID>} [signingKeyIDs] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to signingKeys[i]
   * @param {Date} [date] - Override the creation time of the signature
   * @param {Array} [userIDs] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]
   * @param {Object} [config] - Full configuration, defaults to openpgp.config
   * @returns {Promise<Message>} New message with signed content.
   * @async
   */
-  async sign(privateKeys = [], signature = null, signingKeyIDs = [], date = new Date(), userIDs = [], config = defaultConfig) {
+  async sign(signingKeys = [], signature = null, signingKeyIDs = [], date = new Date(), userIDs = [], config = defaultConfig) {
    const packetlist = new PacketList();
    const literalDataPacket = this.packets.findPacket(enums.packet.literalData);
@ -459,25 +459,25 @@ export class Message {
        onePassSig.hashAlgorithm = signaturePacket.hashAlgorithm;
        onePassSig.publicKeyAlgorithm = signaturePacket.publicKeyAlgorithm;
        onePassSig.issuerKeyID = signaturePacket.issuerKeyID;
-        if (!privateKeys.length && i === 0) {
+        if (!signingKeys.length && i === 0) {
          onePassSig.flags = 1;
        }
        packetlist.push(onePassSig);
      }
    }
-    await Promise.all(Array.from(privateKeys).reverse().map(async function (privateKey, i) {
+    await Promise.all(Array.from(signingKeys).reverse().map(async function (primaryKey, i) {
-      if (privateKey.isPublic()) {
+      if (primaryKey.isPublic()) {
        throw new Error('Need private key for signing');
      }
-      const signingKeyID = signingKeyIDs[privateKeys.length - 1 - i];
+      const signingKeyID = signingKeyIDs[signingKeys.length - 1 - i];
-      const signingKey = await privateKey.getSigningKey(signingKeyID, date, userIDs, config);
+      const signingKey = await primaryKey.getSigningKey(signingKeyID, date, userIDs, config);
      const onePassSig = new OnePassSignaturePacket();
      onePassSig.signatureType = signatureType;
-      onePassSig.hashAlgorithm = await getPreferredHashAlgo(privateKey, signingKey.keyPacket, date, userIDs, config);
+      onePassSig.hashAlgorithm = await getPreferredHashAlgo(primaryKey, signingKey.keyPacket, date, userIDs, config);
      onePassSig.publicKeyAlgorithm = signingKey.keyPacket.algorithm;
      onePassSig.issuerKeyID = signingKey.getKeyID();
-      if (i === privateKeys.length - 1) {
+      if (i === signingKeys.length - 1) {
        onePassSig.flags = 1;
      }
      return onePassSig;
@ -486,7 +486,7 @@ export class Message {
    });
    packetlist.push(literalDataPacket);
-    packetlist.push(...(await createSignaturePackets(literalDataPacket, privateKeys, signature, signingKeyIDs, date, userIDs, false, config)));
+    packetlist.push(...(await createSignaturePackets(literalDataPacket, signingKeys, signature, signingKeyIDs, date, userIDs, false, config)));
    return new Message(packetlist);
  }
@ -514,26 +514,26 @@ export class Message {
  /**
   * Create a detached signature for the message (the literal data packet of the message)
-   * @param {Array<Key>} privateKeys - private keys with decrypted secret key data for signing
+   * @param {Array<Key>} signingKeys - private keys with decrypted secret key data for signing
   * @param {Signature} [signature] - Any existing detached signature
-   * @param {Array<module:type/keyid~KeyID>} [signingKeyIDs] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to privateKeys[i]
+   * @param {Array<module:type/keyid~KeyID>} [signingKeyIDs] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to signingKeys[i]
   * @param {Date} [date] - Override the creation time of the signature
   * @param {Array} [userIDs] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]
   * @param {Object} [config] - Full configuration, defaults to openpgp.config
   * @returns {Promise<Signature>} New detached signature of message content.
   * @async
   */
-  async signDetached(privateKeys = [], signature = null, signingKeyIDs = [], date = new Date(), userIDs = [], config = defaultConfig) {
+  async signDetached(signingKeys = [], signature = null, signingKeyIDs = [], date = new Date(), userIDs = [], config = defaultConfig) {
    const literalDataPacket = this.packets.findPacket(enums.packet.literalData);
    if (!literalDataPacket) {
      throw new Error('No literal data packet to sign.');
    }
-    return new Signature(await createSignaturePackets(literalDataPacket, privateKeys, signature, signingKeyIDs, date, userIDs, true, config));
+    return new Signature(await createSignaturePackets(literalDataPacket, signingKeys, signature, signingKeyIDs, date, userIDs, true, config));
  }
  /**
   * Verify message signatures
-   * @param {Array<Key>} keys - Array of keys to verify signatures
+   * @param {Array<Key>} verificationKeys - Array of public keys to verify signatures
   * @param {Date} [date] - Verify the signature against the given date, i.e. check signature creation time < date < expiration time
   * @param {Object} [config] - Full configuration, defaults to openpgp.config
   * @returns {Promise<Array<{
@ -543,7 +543,7 @@ export class Message {
   * }>>} List of signer's keyID and validity of signatures.
   * @async
   */
-  async verify(keys, date = new Date(), config = defaultConfig) {
+  async verify(verificationKeys, date = new Date(), config = defaultConfig) {
    const msg = this.unwrapCompressed();
    const literalDataList = msg.packets.filterByTag(enums.packet.literalData);
    if (literalDataList.length !== 1) {
@ -582,14 +582,14 @@ export class Message {
          await writer.abort(e);
        }
      });
-      return createVerificationObjects(onePassSigList, literalDataList, keys, date, false, config);
+      return createVerificationObjects(onePassSigList, literalDataList, verificationKeys, date, false, config);
    }
-    return createVerificationObjects(signatureList, literalDataList, keys, date, false, config);
+    return createVerificationObjects(signatureList, literalDataList, verificationKeys, date, false, config);
  }
  /**
   * Verify detached message signature
-   * @param {Array<Key>} keys - Array of keys to verify signatures
+   * @param {Array<Key>} verificationKeys - Array of public keys to verify signatures
   * @param {Signature} signature
   * @param {Date} date - Verify the signature against the given date, i.e. check signature creation time < date < expiration time
   * @param {Object} [config] - Full configuration, defaults to openpgp.config
@ -600,14 +600,14 @@ export class Message {
   * }>>} List of signer's keyID and validity of signature.
   * @async
   */
-  verifyDetached(signature, keys, date = new Date(), config = defaultConfig) {
+  verifyDetached(signature, verificationKeys, date = new Date(), config = defaultConfig) {
    const msg = this.unwrapCompressed();
    const literalDataList = msg.packets.filterByTag(enums.packet.literalData);
    if (literalDataList.length !== 1) {
      throw new Error('Can only verify message with one literal data packet.');
    }
    const signatureList = signature.packets;
-    return createVerificationObjects(signatureList, literalDataList, keys, date, true, config);
+    return createVerificationObjects(signatureList, literalDataList, verificationKeys, date, true, config);
  }
  /**
@ -656,9 +656,9 @@ export class Message {
 /**
 * Create signature packets for the message
 * @param {LiteralDataPacket} literalDataPacket - the literal data packet to sign
- * @param {Array<Key>} privateKeys - private keys with decrypted secret key data for signing
+ * @param {Array<Key>} signingKeys - private keys with decrypted secret key data for signing
 * @param {Signature} [signature] - Any existing detached signature to append
- * @param {Array<module:type/keyid~KeyID>} [signingKeyIDs] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to privateKeys[i]
+ * @param {Array<module:type/keyid~KeyID>} [signingKeyIDs] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to signingKeys[i]
 * @param {Date} [date] - Override the creationtime of the signature
 * @param {Array} [userIDs] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]
 * @param {Boolean} [detached] - Whether to create detached signature packets
@ -667,20 +667,20 @@ export class Message {
 * @async
 * @private
 */
-export async function createSignaturePackets(literalDataPacket, privateKeys, signature = null, signingKeyIDs = [], date = new Date(), userIDs = [], detached = false, config = defaultConfig) {
+export async function createSignaturePackets(literalDataPacket, signingKeys, signature = null, signingKeyIDs = [], date = new Date(), userIDs = [], detached = false, config = defaultConfig) {
  const packetlist = new PacketList();
  // If data packet was created from Uint8Array, use binary, otherwise use text
  const signatureType = literalDataPacket.text === null ?
    enums.signature.binary : enums.signature.text;
-  await Promise.all(privateKeys.map(async (privateKey, i) => {
+  await Promise.all(signingKeys.map(async (primaryKey, i) => {
    const userID = userIDs[i];
-    if (privateKey.isPublic()) {
+    if (primaryKey.isPublic()) {
      throw new Error('Need private key for signing');
    }
-    const signingKey = await privateKey.getSigningKey(signingKeyIDs[i], date, userID, config);
+    const signingKey = await primaryKey.getSigningKey(signingKeyIDs[i], date, userID, config);
-    return createSignaturePacket(literalDataPacket, privateKey, signingKey.keyPacket, { signatureType }, date, userID, detached, config);
+    return createSignaturePacket(literalDataPacket, primaryKey, signingKey.keyPacket, { signatureType }, date, userID, detached, config);
  })).then(signatureList => {
    signatureList.forEach(signaturePacket => packetlist.push(signaturePacket));
  });
@ -696,7 +696,7 @@ export async function createSignaturePackets(literalDataPacket, privateKeys, sig
 * Create object containing signer's keyID and validity of signature
 * @param {SignaturePacket} signature - Signature packet
 * @param {Array<LiteralDataPacket>} literalDataList - Array of literal data packets
- * @param {Array<Key>} keys - Array of keys to verify signatures
+ * @param {Array<Key>} verificationKeys - Array of public keys to verify signatures
 * @param {Date} date - Verify the signature against the given date,
 *                    i.e. check signature creation time < date < expiration time
 * @param {Boolean} [detached] - Whether to verify detached signature packets
@ -709,12 +709,12 @@ export async function createSignaturePackets(literalDataPacket, privateKeys, sig
 * @async
 * @private
 */
-async function createVerificationObject(signature, literalDataList, keys, date = new Date(), detached = false, config = defaultConfig) {
+async function createVerificationObject(signature, literalDataList, verificationKeys, date = new Date(), detached = false, config = defaultConfig) {
  let primaryKey;
  let signingKey;
  let keyError;
-  for (const key of keys) {
+  for (const key of verificationKeys) {
    const issuerKeys = key.getKeys(signature.issuerKeyID);
    if (issuerKeys.length > 0) {
      primaryKey = key;
@ -772,7 +772,7 @@ async function createVerificationObject(signature, literalDataList, keys, date =
 * Create list of objects containing signer's keyID and validity of signature
 * @param {Array<SignaturePacket>} signatureList - Array of signature packets
 * @param {Array<LiteralDataPacket>} literalDataList - Array of literal data packets
- * @param {Array<Key>} keys - Array of keys to verify signatures
+ * @param {Array<Key>} verificationKeys - Array of public keys to verify signatures
 * @param {Date} date - Verify the signature against the given date,
 *                    i.e. check signature creation time < date < expiration time
 * @param {Boolean} [detached] - Whether to verify detached signature packets
@ -785,11 +785,11 @@ async function createVerificationObject(signature, literalDataList, keys, date =
 * @async
 * @private
 */
-export async function createVerificationObjects(signatureList, literalDataList, keys, date = new Date(), detached = false, config = defaultConfig) {
+export async function createVerificationObjects(signatureList, literalDataList, verificationKeys, date = new Date(), detached = false, config = defaultConfig) {
  return Promise.all(signatureList.filter(function(signature) {
    return ['text', 'binary'].includes(enums.read(enums.signature, signature.signatureType));
  }).map(async function(signature) {
-    return createVerificationObject(signature, literalDataList, keys, date, detached, config);
+    return createVerificationObject(signature, literalDataList, verificationKeys, date, detached, config);
  }));
 }
--- a/src/openpgp.js
+++ b/src/openpgp.js
@ -228,47 +228,47 @@ export async function encryptKey({ privateKey, passphrase, config }) {
 /**
- * Encrypts message text/data with public keys, passwords or both at once. At least either public keys or passwords
+ * Encrypts message text/data with public keys, passwords or both at once. At least either encryption keys or passwords
- *   must be specified. If private keys are specified, those will be used to sign the message.
+ *   must be specified. If signing keys are specified, those will be used to sign the message.
 * @param {Object} options
 * @param {Message} options.message - Message to be encrypted as created by {@link createMessage}
- * @param {Key|Array<Key>} [options.publicKeys] - Array of keys or single key, used to encrypt the message
+ * @param {Key|Array<Key>} [options.encryptionKeys] - Array of keys or single key, used to encrypt the message
- * @param {Key|Array<Key>} [options.privateKeys] - Private keys for signing. If omitted message will not be signed
+ * @param {Key|Array<Key>} [options.signingKeys] - Private keys for signing. If omitted message will not be signed
 * @param {String|Array<String>} [options.passwords] - Array of passwords or a single password to encrypt the message
 * @param {Object} [options.sessionKey] - Session key in the form: `{ data:Uint8Array, algorithm:String }`
 * @param {Boolean} [options.armor=true] - Whether the return values should be ascii armored (true, the default) or binary (false)
 * @param {Signature} [options.signature] - A detached signature to add to the encrypted message
 * @param {Boolean} [options.wildcard=false] - Use a key ID of 0 instead of the public key IDs
- * @param {Array<module:type/keyid~KeyID>} [options.signingKeyIDs=latest-created valid signing (sub)keys] - Array of key IDs to use for signing. Each `signingKeyIDs[i]` corresponds to `privateKeys[i]`
+ * @param {Array<module:type/keyid~KeyID>} [options.signingKeyIDs=latest-created valid signing (sub)keys] - Array of key IDs to use for signing. Each `signingKeyIDs[i]` corresponds to `signingKeys[i]`
- * @param {Array<module:type/keyid~KeyID>} [options.encryptionKeyIDs=latest-created valid encryption (sub)keys] - Array of key IDs to use for encryption. Each `encryptionKeyIDs[i]` corresponds to `publicKeys[i]`
+ * @param {Array<module:type/keyid~KeyID>} [options.encryptionKeyIDs=latest-created valid encryption (sub)keys] - Array of key IDs to use for encryption. Each `encryptionKeyIDs[i]` corresponds to `encryptionKeys[i]`
 * @param {Date} [options.date=current date] - Override the creation date of the message signature
- * @param {Array<Object>} [options.fromUserIDs=primary user IDs] - Array of user IDs to sign with, one per key in `privateKeys`, e.g. `[{ name: 'Steve Sender', email: 'steve@openpgp.org' }]`
+ * @param {Array<Object>} [options.signingUserIDs=primary user IDs] - Array of user IDs to sign with, one per key in `signingKeys`, e.g. `[{ name: 'Steve Sender', email: 'steve@openpgp.org' }]`
- * @param {Array<Object>} [options.toUserIDs=primary user IDs] - Array of user IDs to encrypt for, one per key in `publicKeys`, e.g. `[{ name: 'Robert Receiver', email: 'robert@openpgp.org' }]`
+ * @param {Array<Object>} [options.encryptionUserIDs=primary user IDs] - Array of user IDs to encrypt for, one per key in `encryptionKeys`, e.g. `[{ name: 'Robert Receiver', email: 'robert@openpgp.org' }]`
 * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}
 * @returns {Promise<String|ReadableStream<String>|NodeStream<String>|Uint8Array|ReadableStream<Uint8Array>|NodeStream<Uint8Array>>} Encrypted message (string if `armor` was true, the default; Uint8Array if `armor` was false).
 * @async
 * @static
 */
-export function encrypt({ message, publicKeys, privateKeys, passwords, sessionKey, armor = true, detached = false, signature = null, wildcard = false, signingKeyIDs = [], encryptionKeyIDs = [], date = new Date(), fromUserIDs = [], toUserIDs = [], config }) {
+export function encrypt({ message, encryptionKeys, signingKeys, passwords, sessionKey, armor = true, detached = false, signature = null, wildcard = false, signingKeyIDs = [], encryptionKeyIDs = [], date = new Date(), signingUserIDs = [], encryptionUserIDs = [], config }) {
  config = { ...defaultConfig, ...config };
-  checkMessage(message); publicKeys = toArray(publicKeys); privateKeys = toArray(privateKeys); passwords = toArray(passwords); fromUserIDs = toArray(fromUserIDs); toUserIDs = toArray(toUserIDs);
+  checkMessage(message); encryptionKeys = toArray(encryptionKeys); signingKeys = toArray(signingKeys); passwords = toArray(passwords); signingUserIDs = toArray(signingUserIDs); encryptionUserIDs = toArray(encryptionUserIDs);
  if (detached) {
    throw new Error("detached option has been removed from openpgp.encrypt. Separately call openpgp.sign instead. Don't forget to remove privateKeys option as well.");
  }
  return Promise.resolve().then(async function() {
    const streaming = message.fromStream;
-    if (!privateKeys) {
+    if (!signingKeys) {
-      privateKeys = [];
+      signingKeys = [];
    }
-    if (privateKeys.length || signature) { // sign the message only if private keys or signature is specified
+    if (signingKeys.length || signature) { // sign the message only if signing keys or signature is specified
-      message = await message.sign(privateKeys, signature, signingKeyIDs, date, fromUserIDs, config);
+      message = await message.sign(signingKeys, signature, signingKeyIDs, date, signingUserIDs, config);
    }
    message = message.compress(
-      await getPreferredAlgo('compression', publicKeys, date, toUserIDs, config),
+      await getPreferredAlgo('compression', encryptionKeys, date, encryptionUserIDs, config),
      config
    );
-    message = await message.encrypt(publicKeys, passwords, sessionKey, wildcard, encryptionKeyIDs, date, toUserIDs, config);
+    message = await message.encrypt(encryptionKeys, passwords, sessionKey, wildcard, encryptionKeyIDs, date, encryptionUserIDs, config);
    const data = armor ? message.armor(config) : message.write();
    return convertStream(data, streaming, armor ? 'utf8' : 'binary');
  }).catch(onError.bind(null, 'Error encrypting message'));
@ -279,10 +279,10 @@ export function encrypt({ message, publicKeys, privateKeys, passwords, sessionKe
 *   a session key or a password must be specified.
 * @param {Object} options
 * @param {Message} options.message - The message object with the encrypted data
- * @param {Key|Array<Key>} [options.privateKeys] - Private keys with decrypted secret key data or session key
+ * @param {Key|Array<Key>} [options.decryptionKeys] - Private keys with decrypted secret key data or session key
 * @param {String|Array<String>} [options.passwords] - Passwords to decrypt the message
 * @param {Object|Array<Object>} [options.sessionKeys] - Session keys in the form: { data:Uint8Array, algorithm:String }
- * @param {Key|Array<Key>} [options.publicKeys] - Array of public keys or single key, to verify signatures
+ * @param {Key|Array<Key>} [options.verificationKeys] - Array of public keys or single key, to verify signatures
 * @param {Boolean} [options.expectSigned=false] - If true, data decryption fails if the message is not signed with the provided publicKeys
 * @param {'utf8'|'binary'} [options.format='utf8'] - Whether to return data as a string(Stream) or Uint8Array(Stream). If 'utf8' (the default), also normalize newlines.
 * @param {Signature} [options.signature] - Detached signature for verification
@ -305,23 +305,23 @@ export function encrypt({ message, publicKeys, privateKeys, passwords, sessionKe
 * @async
 * @static
 */
-export function decrypt({ message, privateKeys, passwords, sessionKeys, publicKeys, expectSigned = false, format = 'utf8', signature = null, date = new Date(), config }) {
+export function decrypt({ message, decryptionKeys, passwords, sessionKeys, verificationKeys, expectSigned = false, format = 'utf8', signature = null, date = new Date(), config }) {
  config = { ...defaultConfig, ...config };
-  checkMessage(message); publicKeys = toArray(publicKeys); privateKeys = toArray(privateKeys); passwords = toArray(passwords); sessionKeys = toArray(sessionKeys);
+  checkMessage(message); verificationKeys = toArray(verificationKeys); decryptionKeys = toArray(decryptionKeys); passwords = toArray(passwords); sessionKeys = toArray(sessionKeys);
-  return message.decrypt(privateKeys, passwords, sessionKeys, config).then(async function(decrypted) {
+  return message.decrypt(decryptionKeys, passwords, sessionKeys, config).then(async function(decrypted) {
-    if (!publicKeys) {
+    if (!verificationKeys) {
-      publicKeys = [];
+      verificationKeys = [];
    }
    const result = {};
-    result.signatures = signature ? await decrypted.verifyDetached(signature, publicKeys, date, config) : await decrypted.verify(publicKeys, date, config);
+    result.signatures = signature ? await decrypted.verifyDetached(signature, verificationKeys, date, config) : await decrypted.verify(verificationKeys, date, config);
    result.data = format === 'binary' ? decrypted.getLiteralData() : decrypted.getText();
    result.filename = decrypted.getFilename();
    linkStreams(result, message);
    if (expectSigned) {
-      if (publicKeys.length === 0) {
+      if (verificationKeys.length === 0) {
-        throw new Error('Public keys are required to verify message signatures');
+        throw new Error('Verification keys are required to verify message signatures');
      }
      if (result.signatures.length === 0) {
        throw new Error('Message is not signed');
@ -351,30 +351,30 @@ export function decrypt({ message, privateKeys, passwords, sessionKeys, publicKe
 * Signs a message.
 * @param {Object} options
 * @param {CleartextMessage|Message} options.message - (cleartext) message to be signed
- * @param {Key|Array<Key>} options.privateKeys - Array of keys or single key with decrypted secret key data to sign cleartext
+ * @param {Key|Array<Key>} options.signingKeys - Array of keys or single key with decrypted secret key data to sign cleartext
 * @param {Boolean} [options.armor=true] - Whether the return values should be ascii armored (true, the default) or binary (false)
 * @param {Boolean} [options.detached=false] - If the return value should contain a detached signature
- * @param {Array<module:type/keyid~KeyID>} [options.signingKeyIDs=latest-created valid signing (sub)keys] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to privateKeys[i]
+ * @param {Array<module:type/keyid~KeyID>} [options.signingKeyIDs=latest-created valid signing (sub)keys] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to signingKeys[i]
 * @param {Date} [options.date=current date] - Override the creation date of the signature
- * @param {Array<Object>} [options.fromUserIDs=primary user IDs] - Array of user IDs to sign with, one per key in `privateKeys`, e.g. `[{ name: 'Steve Sender', email: 'steve@openpgp.org' }]`
+ * @param {Array<Object>} [options.signingUserIDs=primary user IDs] - Array of user IDs to sign with, one per key in `signingKeys`, e.g. `[{ name: 'Steve Sender', email: 'steve@openpgp.org' }]`
 * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}
 * @returns {Promise<String|ReadableStream<String>|NodeStream<String>|Uint8Array|ReadableStream<Uint8Array>|NodeStream<Uint8Array>>} Signed message (string if `armor` was true, the default; Uint8Array if `armor` was false).
 * @async
 * @static
 */
-export function sign({ message, privateKeys, armor = true, detached = false, signingKeyIDs = [], date = new Date(), fromUserIDs = [], config }) {
+export function sign({ message, signingKeys, armor = true, detached = false, signingKeyIDs = [], date = new Date(), signingUserIDs = [], config }) {
  config = { ...defaultConfig, ...config };
  checkCleartextOrMessage(message);
  if (message instanceof CleartextMessage && !armor) throw new Error("Can't sign non-armored cleartext message");
  if (message instanceof CleartextMessage && detached) throw new Error("Can't detach-sign a cleartext message");
-  privateKeys = toArray(privateKeys); fromUserIDs = toArray(fromUserIDs);
+  signingKeys = toArray(signingKeys); signingUserIDs = toArray(signingUserIDs);
  return Promise.resolve().then(async function() {
    let signature;
    if (detached) {
-      signature = await message.signDetached(privateKeys, undefined, signingKeyIDs, date, fromUserIDs, config);
+      signature = await message.signDetached(signingKeys, undefined, signingKeyIDs, date, signingUserIDs, config);
    } else {
-      signature = await message.sign(privateKeys, undefined, signingKeyIDs, date, fromUserIDs, config);
+      signature = await message.sign(signingKeys, undefined, signingKeyIDs, date, signingUserIDs, config);
    }
    signature = armor ? signature.armor(config) : signature.write();
    if (detached) {
@ -393,7 +393,7 @@ export function sign({ message, privateKeys, armor = true, detached = false, sig
 * Verifies signatures of cleartext signed message
 * @param {Object} options
 * @param {CleartextMessage|Message} options.message - (cleartext) message object with signatures
- * @param {Key|Array<Key>} options.publicKeys - Array of publicKeys or single key, to verify signatures
+ * @param {Key|Array<Key>} options.verificationKeys - Array of publicKeys or single key, to verify signatures
 * @param {Boolean} [options.expectSigned=false] - If true, verification throws if the message is not signed with the provided publicKeys
 * @param {'utf8'|'binary'} [options.format='utf8'] - Whether to return data as a string(Stream) or Uint8Array(Stream). If 'utf8' (the default), also normalize newlines.
 * @param {Signature} [options.signature] - Detached signature for verification
@ -415,19 +415,19 @@ export function sign({ message, privateKeys, armor = true, detached = false, sig
 * @async
 * @static
 */
-export function verify({ message, publicKeys, expectSigned = false, format = 'utf8', signature = null, date = new Date(), config }) {
+export function verify({ message, verificationKeys, expectSigned = false, format = 'utf8', signature = null, date = new Date(), config }) {
  config = { ...defaultConfig, ...config };
  checkCleartextOrMessage(message);
  if (message instanceof CleartextMessage && format === 'binary') throw new Error("Can't return cleartext message data as binary");
  if (message instanceof CleartextMessage && signature) throw new Error("Can't verify detached cleartext signature");
-  publicKeys = toArray(publicKeys);
+  verificationKeys = toArray(verificationKeys);
  return Promise.resolve().then(async function() {
    const result = {};
    if (signature) {
-      result.signatures = await message.verifyDetached(signature, publicKeys, date, config);
+      result.signatures = await message.verifyDetached(signature, verificationKeys, date, config);
    } else {
-      result.signatures = await message.verify(publicKeys, date, config);
+      result.signatures = await message.verify(verificationKeys, date, config);
    }
    result.data = format === 'binary' ? message.getLiteralData() : message.getText();
    if (message.fromStream) linkStreams(result, message);
@ -458,21 +458,21 @@ export function verify({ message, publicKeys, expectSigned = false, format = 'ut
 /**
 * Generate a new session key object, taking the algorithm preferences of the passed public keys into account.
 * @param {Object} options
- * @param {Key|Array<Key>} options.publicKeys - Array of public keys or single key used to select algorithm preferences for
+ * @param {Key|Array<Key>} options.encryptionKeys - Array of public keys or single key used to select algorithm preferences for
 * @param {Date} [options.date=current date] - Date to select algorithm preferences at
- * @param {Array} [options.toUserIDs=primary user IDs] - User IDs to select algorithm preferences for
+ * @param {Array} [options.encryptionUserIDs=primary user IDs] - User IDs to select algorithm preferences for
 * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}
 * @returns {Promise<{ data: Uint8Array, algorithm: String }>} Object with session key data and algorithm.
 * @async
 * @static
 */
-export function generateSessionKey({ publicKeys, date = new Date(), toUserIDs = [], config }) {
+export function generateSessionKey({ encryptionKeys, date = new Date(), encryptionUserIDs = [], config }) {
  config = { ...defaultConfig, ...config };
-  publicKeys = toArray(publicKeys); toUserIDs = toArray(toUserIDs);
+  encryptionKeys = toArray(encryptionKeys); encryptionUserIDs = toArray(encryptionUserIDs);
  return Promise.resolve().then(async function() {
-    return Message.generateSessionKey(publicKeys, date, toUserIDs, config);
+    return Message.generateSessionKey(encryptionKeys, date, encryptionUserIDs, config);
  }).catch(onError.bind(null, 'Error generating session key'));
 }
@ -484,25 +484,25 @@ export function generateSessionKey({ publicKeys, date = new Date(), toUserIDs =
 * @param {Uint8Array} options.data - The session key to be encrypted e.g. 16 random bytes (for aes128)
 * @param {String} options.algorithm - Algorithm of the symmetric session key e.g. 'aes128' or 'aes256'
 * @param {String} [options.aeadAlgorithm] - AEAD algorithm, e.g. 'eax' or 'ocb'
- * @param {Key|Array<Key>} [options.publicKeys] - Array of public keys or single key, used to encrypt the key
+ * @param {Key|Array<Key>} [options.encryptionKeys] - Array of public keys or single key, used to encrypt the key
 * @param {String|Array<String>} [options.passwords] - Passwords for the message
 * @param {Boolean} [options.armor=true] - Whether the return values should be ascii armored (true, the default) or binary (false)
 * @param {Boolean} [options.wildcard=false] - Use a key ID of 0 instead of the public key IDs
- * @param {Array<module:type/keyid~KeyID>} [options.encryptionKeyIDs=latest-created valid encryption (sub)keys] - Array of key IDs to use for encryption. Each encryptionKeyIDs[i] corresponds to publicKeys[i]
+ * @param {Array<module:type/keyid~KeyID>} [options.encryptionKeyIDs=latest-created valid encryption (sub)keys] - Array of key IDs to use for encryption. Each encryptionKeyIDs[i] corresponds to encryptionKeys[i]
 * @param {Date} [options.date=current date] - Override the date
- * @param {Array} [options.toUserIDs=primary user IDs] - Array of user IDs to encrypt for, one per key in `publicKeys`, e.g. `[{ name: 'Phil Zimmermann', email: 'phil@openpgp.org' }]`
+ * @param {Array} [options.encryptionUserIDs=primary user IDs] - Array of user IDs to encrypt for, one per key in `encryptionKeys`, e.g. `[{ name: 'Phil Zimmermann', email: 'phil@openpgp.org' }]`
 * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}
 * @returns {Promise<String|Uint8Array>} Encrypted session keys (string if `armor` was true, the default; Uint8Array if `armor` was false).
 * @async
 * @static
 */
-export function encryptSessionKey({ data, algorithm, aeadAlgorithm, publicKeys, passwords, armor = true, wildcard = false, encryptionKeyIDs = [], date = new Date(), toUserIDs = [], config }) {
+export function encryptSessionKey({ data, algorithm, aeadAlgorithm, encryptionKeys, passwords, armor = true, wildcard = false, encryptionKeyIDs = [], date = new Date(), encryptionUserIDs = [], config }) {
  config = { ...defaultConfig, ...config };
-  checkBinary(data); checkString(algorithm, 'algorithm'); publicKeys = toArray(publicKeys); passwords = toArray(passwords); toUserIDs = toArray(toUserIDs);
+  checkBinary(data); checkString(algorithm, 'algorithm'); encryptionKeys = toArray(encryptionKeys); passwords = toArray(passwords); encryptionUserIDs = toArray(encryptionUserIDs);
  return Promise.resolve().then(async function() {
-    const message = await Message.encryptSessionKey(data, algorithm, aeadAlgorithm, publicKeys, passwords, wildcard, encryptionKeyIDs, date, toUserIDs, config);
+    const message = await Message.encryptSessionKey(data, algorithm, aeadAlgorithm, encryptionKeys, passwords, wildcard, encryptionKeyIDs, date, encryptionUserIDs, config);
    return armor ? message.armor(config) : message.write();
  }).catch(onError.bind(null, 'Error encrypting session key'));
@ -513,7 +513,7 @@ export function encryptSessionKey({ data, algorithm, aeadAlgorithm, publicKeys,
 *   a password must be specified.
 * @param {Object} options
 * @param {Message} options.message - A message object containing the encrypted session key packets
- * @param {Key|Array<Key>} [options.privateKeys] - Private keys with decrypted secret key data
+ * @param {Key|Array<Key>} [options.decryptionKeys] - Private keys with decrypted secret key data
 * @param {String|Array<String>} [options.passwords] - Passwords to decrypt the session key
 * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}
 * @returns {Promise<Object|undefined>} Array of decrypted session key, algorithm pairs in the form:
@ -522,13 +522,13 @@ export function encryptSessionKey({ data, algorithm, aeadAlgorithm, publicKeys,
 * @async
 * @static
 */
-export function decryptSessionKeys({ message, privateKeys, passwords, config }) {
+export function decryptSessionKeys({ message, decryptionKeys, passwords, config }) {
  config = { ...defaultConfig, ...config };
-  checkMessage(message); privateKeys = toArray(privateKeys); passwords = toArray(passwords);
+  checkMessage(message); decryptionKeys = toArray(decryptionKeys); passwords = toArray(passwords);
  return Promise.resolve().then(async function() {
-    return message.decryptSessionKeys(privateKeys, passwords, config);
+    return message.decryptSessionKeys(decryptionKeys, passwords, config);
  }).catch(onError.bind(null, 'Error decrypting session keys'));
 }
--- a/test/general/brainpool.js
+++ b/test/general/brainpool.js
@ -203,7 +203,7 @@ EJ4QcD/oQ6x1M/8X/iKQCtxZP8RnlrbH7ExkNON5s5g=
  it('Verify clear signed message', async function () {
    const pub = await load_pub_key('juliet');
    const msg = await openpgp.readCleartextMessage({ cleartextMessage: data.juliet.message_signed });
-    return openpgp.verify({ publicKeys: [pub], message: msg }).then(function(result) {
+    return openpgp.verify({ verificationKeys: [pub], message: msg }).then(function(result) {
      expect(result).to.exist;
      expect(result.data).to.equal(data.juliet.message);
      expect(result.signatures).to.have.length(1);
@ -212,10 +212,10 @@ EJ4QcD/oQ6x1M/8X/iKQCtxZP8RnlrbH7ExkNON5s5g=
  });
  it('Sign message', async function () {
    const romeoPrivate = await load_priv_key('romeo');
-    const signed = await openpgp.sign({ privateKeys: [romeoPrivate], message: await openpgp.createCleartextMessage({ text: data.romeo.message }) });
+    const signed = await openpgp.sign({ signingKeys: [romeoPrivate], message: await openpgp.createCleartextMessage({ text: data.romeo.message }) });
    const romeoPublic = await load_pub_key('romeo');
    const msg = await openpgp.readCleartextMessage({ cleartextMessage: signed });
-    const result = await openpgp.verify({ publicKeys: [romeoPublic], message: msg });
+    const result = await openpgp.verify({ verificationKeys: [romeoPublic], message: msg });
    expect(result).to.exist;
    expect(result.data).to.equal(data.romeo.message);
@ -226,7 +226,7 @@ EJ4QcD/oQ6x1M/8X/iKQCtxZP8RnlrbH7ExkNON5s5g=
    const juliet = await load_pub_key('juliet');
    const romeo = await load_priv_key('romeo');
    const msg = await openpgp.readMessage({ armoredMessage: data.romeo.message_encrypted });
-    const result = await openpgp.decrypt({ privateKeys: romeo, publicKeys: [juliet], message: msg });
+    const result = await openpgp.decrypt({ decryptionKeys: romeo, verificationKeys: [juliet], message: msg });
    expect(result).to.exist;
    expect(result.data).to.equal(data.romeo.message);
@ -237,7 +237,7 @@ EJ4QcD/oQ6x1M/8X/iKQCtxZP8RnlrbH7ExkNON5s5g=
    const juliet = await load_priv_key('juliet');
    const romeo = await load_pub_key('romeo');
    const msg = await openpgp.readMessage({ armoredMessage: data.romeo.message_encrypted_with_leading_zero_in_hash });
-    const result = await openpgp.decrypt({ privateKeys: juliet, publicKeys: [romeo], message: msg });
+    const result = await openpgp.decrypt({ decryptionKeys: juliet, verificationKeys: [romeo], message: msg });
    expect(result).to.exist;
    expect(result.data).to.equal(data.romeo.message_with_leading_zero_in_hash);
@ -252,7 +252,7 @@ EJ4QcD/oQ6x1M/8X/iKQCtxZP8RnlrbH7ExkNON5s5g=
    const juliet = await load_priv_key('juliet');
    const romeo = await load_pub_key('romeo');
    const msg = await openpgp.readMessage({ armoredMessage: data.romeo.message_encrypted_with_leading_zero_in_hash_signed_by_elliptic_with_old_implementation });
-    const result = await openpgp.decrypt({ privateKeys: juliet, publicKeys: [romeo], message: msg });
+    const result = await openpgp.decrypt({ decryptionKeys: juliet, verificationKeys: [romeo], message: msg });
    expect(result).to.exist;
    expect(result.data).to.equal(data.romeo.message_with_leading_zero_in_hash_old_elliptic_implementation);
    expect(result.signatures).to.have.length(1);
@ -262,12 +262,12 @@ EJ4QcD/oQ6x1M/8X/iKQCtxZP8RnlrbH7ExkNON5s5g=
  it('Encrypt and sign message', async function () {
    const romeoPrivate = await load_priv_key('romeo');
    const julietPublic = await load_pub_key('juliet');
-    const encrypted = await openpgp.encrypt({ publicKeys: [julietPublic], privateKeys: [romeoPrivate], message: await openpgp.createMessage({ text: data.romeo.message }) });
+    const encrypted = await openpgp.encrypt({ encryptionKeys: [julietPublic], signingKeys: [romeoPrivate], message: await openpgp.createMessage({ text: data.romeo.message }) });
    const message = await openpgp.readMessage({ armoredMessage: encrypted });
    const romeoPublic = await load_pub_key('romeo');
    const julietPrivate = await load_priv_key('juliet');
-    const result = await openpgp.decrypt({ privateKeys: julietPrivate, publicKeys: [romeoPublic], message: message });
+    const result = await openpgp.decrypt({ decryptionKeys: julietPrivate, verificationKeys: [romeoPublic], message: message });
    expect(result).to.exist;
    expect(result.data).to.equal(data.romeo.message);
@ -292,29 +292,29 @@ function omnibus() {
    const bye = secondKey.key;
    const pubBye = bye.toPublic();
-    const cleartextMessage = await openpgp.sign({ message: await openpgp.createCleartextMessage({ text: testData }), privateKeys: hi });
+    const cleartextMessage = await openpgp.sign({ message: await openpgp.createCleartextMessage({ text: testData }), signingKeys: hi });
    await openpgp.verify({
      message: await openpgp.readCleartextMessage({ cleartextMessage }),
-      publicKeys: pubHi
+      verificationKeys: pubHi
    }).then(output => expect(output.signatures[0].valid).to.be.true);
    // Verifying detached signature
    await openpgp.verify({
      message: await openpgp.createMessage({ text: util.removeTrailingSpaces(testData) }),
-      publicKeys: pubHi,
+      verificationKeys: pubHi,
      signature: (await openpgp.readCleartextMessage({ cleartextMessage })).signature
    }).then(output => expect(output.signatures[0].valid).to.be.true);
    // Encrypting and signing
    const encrypted = await openpgp.encrypt({
      message: await openpgp.createMessage({ text: testData2 }),
-      publicKeys: [pubBye],
+      encryptionKeys: [pubBye],
-      privateKeys: [hi]
+      signingKeys: [hi]
    });
    // Decrypting and verifying
    return openpgp.decrypt({
      message: await openpgp.readMessage({ armoredMessage: encrypted }),
-      privateKeys: bye,
+      decryptionKeys: bye,
-      publicKeys: [pubHi]
+      verificationKeys: [pubHi]
    }).then(output => {
      expect(output.data).to.equal(testData2);
      expect(output.signatures[0].valid).to.be.true;
--- a/test/general/config.js
+++ b/test/general/config.js
@ -242,7 +242,7 @@ qDEdLyNWF30o6wD/fZYCV8aS4dAu2U3fpN5y5+PbuXFRYljA5gQ/1zrGN/UA
      const userIDs = { name: 'Test User', email: 'text2@example.com' };
      const { key } = await openpgp.generateKey({ userIDs });
      await expect(openpgp.encrypt({
-        message, publicKeys: [key], config: { rejectPublicKeyAlgorithms: new Set([openpgp.enums.publicKey.ecdh]) }
+        message, encryptionKeys: [key], config: { rejectPublicKeyAlgorithms: new Set([openpgp.enums.publicKey.ecdh]) }
      })).to.be.eventually.rejectedWith(/ecdh keys are considered too weak/);
    } finally {
      openpgp.config.aeadProtect = aeadProtectVal;
@ -256,19 +256,19 @@ qDEdLyNWF30o6wD/fZYCV8aS4dAu2U3fpN5y5+PbuXFRYljA5gQ/1zrGN/UA
    const userIDs = { name: 'Test User', email: 'text2@example.com' };
    const { key } = await openpgp.generateKey({ userIDs, type: 'rsa', rsaBits: 2048 });
-    const armoredMessage = await openpgp.encrypt({ message, publicKeys:[key], privateKeys: [key] });
+    const armoredMessage = await openpgp.encrypt({ message, encryptionKeys:[key], signingKeys: [key] });
    const { data, signatures } = await openpgp.decrypt({
      message: await openpgp.readMessage({ armoredMessage }),
-      privateKeys: [key],
+      decryptionKeys: [key],
-      publicKeys: [key]
+      verificationKeys: [key]
    });
    expect(data).to.equal(plaintext);
    expect(signatures[0].valid).to.be.true;
    const { data: data2, signatures: signatures2 } = await openpgp.decrypt({
      message: await openpgp.readMessage({ armoredMessage }),
-      privateKeys: [key],
+      decryptionKeys: [key],
-      publicKeys: [key],
+      verificationKeys: [key],
      config: { minRSABits: 4096 }
    });
    expect(data2).to.equal(plaintext);
@ -277,8 +277,8 @@ qDEdLyNWF30o6wD/fZYCV8aS4dAu2U3fpN5y5+PbuXFRYljA5gQ/1zrGN/UA
    const { data: data3, signatures: signatures3 } = await openpgp.decrypt({
      message: await openpgp.readMessage({ armoredMessage }),
-      privateKeys: [key],
+      decryptionKeys: [key],
-      publicKeys: [key],
+      verificationKeys: [key],
      config: { rejectPublicKeyAlgorithms: new Set([openpgp.enums.publicKey.rsaEncryptSign]) }
    });
    expect(data3).to.equal(plaintext);
@ -294,7 +294,7 @@ qDEdLyNWF30o6wD/fZYCV8aS4dAu2U3fpN5y5+PbuXFRYljA5gQ/1zrGN/UA
    const message = await openpgp.createMessage({ text: "test" });
    const opt = {
      message,
-      privateKeys: key,
+      signingKeys: key,
      config: { rejectHashAlgorithms: new Set([openpgp.enums.hash.sha256, openpgp.enums.hash.sha512]) }
    };
    await expect(openpgp.sign(opt)).to.be.rejectedWith(/Insecure hash algorithm/);
@ -304,13 +304,13 @@ qDEdLyNWF30o6wD/fZYCV8aS4dAu2U3fpN5y5+PbuXFRYljA5gQ/1zrGN/UA
    const clearText = await openpgp.createCleartextMessage({ text: "test" });
    const opt2 = {
      message: clearText,
-      privateKeys: key,
+      signingKeys: key,
      config: { rejectHashAlgorithms: new Set([openpgp.enums.hash.sha256, openpgp.enums.hash.sha512]) }
    };
    await expect(openpgp.sign(opt2)).to.be.rejectedWith(/Insecure hash algorithm/);
    await expect(openpgp.sign({
-      message, privateKeys: [key], config: { rejectPublicKeyAlgorithms: new Set([openpgp.enums.publicKey.eddsa]) }
+      message, signingKeys: [key], config: { rejectPublicKeyAlgorithms: new Set([openpgp.enums.publicKey.eddsa]) }
    })).to.be.eventually.rejectedWith(/eddsa keys are considered too weak/);
  });
@ -322,29 +322,29 @@ qDEdLyNWF30o6wD/fZYCV8aS4dAu2U3fpN5y5+PbuXFRYljA5gQ/1zrGN/UA
    const message = await openpgp.createMessage({ text: "test" });
-    const signed = await openpgp.sign({ message, privateKeys: key });
+    const signed = await openpgp.sign({ message, signingKeys: key });
    const opt = {
      message: await openpgp.readMessage({ armoredMessage: signed }),
-      publicKeys: key,
+      verificationKeys: key,
      config
    };
    const { signatures: [sig] } = await openpgp.verify(opt);
    await expect(sig.error).to.match(/Insecure message hash algorithm/);
-    const armoredSignature = await openpgp.sign({ message, privateKeys: key, detached: true });
+    const armoredSignature = await openpgp.sign({ message, signingKeys: key, detached: true });
    const opt2 = {
      message,
      signature: await openpgp.readSignature({ armoredSignature }),
-      publicKeys: key,
+      verificationKeys: key,
      config
    };
    const { signatures: [sig2] } = await openpgp.verify(opt2);
    await expect(sig2.error).to.match(/Insecure message hash algorithm/);
    const cleartext = await openpgp.createCleartextMessage({ text: "test" });
-    const signedCleartext = await openpgp.sign({ message: cleartext, privateKeys: key });
+    const signedCleartext = await openpgp.sign({ message: cleartext, signingKeys: key });
    const opt3 = {
      message: await openpgp.readCleartextMessage({ cleartextMessage: signedCleartext }),
-      publicKeys: key,
+      verificationKeys: key,
      config
    };
    const { signatures: [sig3] } = await openpgp.verify(opt3);
@ -352,7 +352,7 @@ qDEdLyNWF30o6wD/fZYCV8aS4dAu2U3fpN5y5+PbuXFRYljA5gQ/1zrGN/UA
    const opt4 = {
      message: await openpgp.readMessage({ armoredMessage: signed }),
-      publicKeys: [key],
+      verificationKeys: [key],
      config: { rejectPublicKeyAlgorithms: new Set([openpgp.enums.publicKey.eddsa]) }
    };
    const { signatures: [sig4] } = await openpgp.verify(opt4);
--- a/test/general/ecc_nist.js
+++ b/test/general/ecc_nist.js
@ -20,29 +20,29 @@ module.exports = () => describe('Elliptic Curve Cryptography for NIST P-256,P-38
      const bye = secondKey.key;
      const pubBye = bye.toPublic();
-      const cleartextMessage = await openpgp.sign({ message: await openpgp.createCleartextMessage({ text: testData }), privateKeys: hi });
+      const cleartextMessage = await openpgp.sign({ message: await openpgp.createCleartextMessage({ text: testData }), signingKeys: hi });
      await openpgp.verify({
        message: await openpgp.readCleartextMessage({ cleartextMessage }),
-        publicKeys: pubHi
+        verificationKeys: pubHi
      }).then(output => expect(output.signatures[0].valid).to.be.true);
      // Verifying detached signature
      await openpgp.verify({
        message: await openpgp.createMessage({ text: util.removeTrailingSpaces(testData) }),
-        publicKeys: pubHi,
+        verificationKeys: pubHi,
        signature: (await openpgp.readCleartextMessage({ cleartextMessage })).signature
      }).then(output => expect(output.signatures[0].valid).to.be.true);
      // Encrypting and signing
      const encrypted = await openpgp.encrypt({
        message: await openpgp.createMessage({ text: testData2 }),
-        publicKeys: [pubBye],
+        encryptionKeys: [pubBye],
-        privateKeys: [hi]
+        signingKeys: [hi]
      });
      // Decrypting and verifying
      return openpgp.decrypt({
        message: await openpgp.readMessage({ armoredMessage: encrypted }),
-        privateKeys: bye,
+        decryptionKeys: bye,
-        publicKeys: [pubHi]
+        verificationKeys: [pubHi]
      }).then(output => {
        expect(output.data).to.equal(testData2);
        expect(output.signatures[0].valid).to.be.true;
@ -56,9 +56,9 @@ module.exports = () => describe('Elliptic Curve Cryptography for NIST P-256,P-38
    const testData = input.createSomeMessage();
    const options = { userIDs: { name: "Hi", email: "hi@hel.lo" }, curve: "p256" };
    const firstKey = await openpgp.generateKey(options);
-    const signature = await openpgp.sign({ message: await openpgp.createCleartextMessage({ text: testData }), privateKeys: firstKey.key });
+    const signature = await openpgp.sign({ message: await openpgp.createCleartextMessage({ text: testData }), signingKeys: firstKey.key });
    const msg = await openpgp.readCleartextMessage({ cleartextMessage: signature });
-    const result = await openpgp.verify({ message: msg, publicKeys: firstKey.key.toPublic() });
+    const result = await openpgp.verify({ message: msg, verificationKeys: firstKey.key.toPublic() });
    expect(result.signatures[0].valid).to.be.true;
  });
@ -70,14 +70,14 @@ module.exports = () => describe('Elliptic Curve Cryptography for NIST P-256,P-38
    const secondKey = await openpgp.generateKey(options);
    const encrypted = await openpgp.encrypt(
      { message: await openpgp.createMessage({ text: testData }),
-        publicKeys: [secondKey.key.toPublic()],
+        encryptionKeys: [secondKey.key.toPublic()],
-        privateKeys: [firstKey.key] }
+        signingKeys: [firstKey.key] }
    );
    const msg = await openpgp.readMessage({ armoredMessage: encrypted });
    const result = await openpgp.decrypt(
      { message: msg,
-        privateKeys: secondKey.key,
+        decryptionKeys: secondKey.key,
-        publicKeys: [firstKey.key.toPublic()] }
+        verificationKeys: [firstKey.key.toPublic()] }
    );
    expect(result.signatures[0].valid).to.be.true;
  });
--- a/test/general/ecc_secp256k1.js
+++ b/test/general/ecc_secp256k1.js
@ -177,7 +177,7 @@ module.exports = () => describe('Elliptic Curve Cryptography for secp256k1 curve
  it('Verify clear signed message', async function () {
    const pub = await load_pub_key('juliet');
    const msg = await openpgp.readCleartextMessage({ cleartextMessage: data.juliet.message_signed });
-    return openpgp.verify({ publicKeys: [pub], message: msg }).then(function(result) {
+    return openpgp.verify({ verificationKeys: [pub], message: msg }).then(function(result) {
      expect(result).to.exist;
      expect(result.data).to.equal(data.juliet.message);
      expect(result.signatures).to.have.length(1);
@ -186,10 +186,10 @@ module.exports = () => describe('Elliptic Curve Cryptography for secp256k1 curve
  });
  it('Sign message', async function () {
    const romeoPrivate = await load_priv_key('romeo');
-    const signed = await openpgp.sign({ privateKeys: [romeoPrivate], message: await openpgp.createCleartextMessage({ text: data.romeo.message }) });
+    const signed = await openpgp.sign({ signingKeys: [romeoPrivate], message: await openpgp.createCleartextMessage({ text: data.romeo.message }) });
    const romeoPublic = await load_pub_key('romeo');
    const msg = await openpgp.readCleartextMessage({ cleartextMessage: signed });
-    const result = await openpgp.verify({ publicKeys: [romeoPublic], message: msg });
+    const result = await openpgp.verify({ verificationKeys: [romeoPublic], message: msg });
    expect(result).to.exist;
    expect(result.data).to.equal(data.romeo.message);
@ -200,7 +200,7 @@ module.exports = () => describe('Elliptic Curve Cryptography for secp256k1 curve
    const juliet = await load_pub_key('juliet');
    const romeo = await load_priv_key('romeo');
    const msg = await openpgp.readMessage({ armoredMessage: data.juliet.message_encrypted });
-    const result = await openpgp.decrypt({ privateKeys: romeo, publicKeys: [juliet], message: msg });
+    const result = await openpgp.decrypt({ decryptionKeys: romeo, verificationKeys: [juliet], message: msg });
    expect(result).to.exist;
    expect(result.data).to.equal(data.juliet.message);
@ -210,12 +210,12 @@ module.exports = () => describe('Elliptic Curve Cryptography for secp256k1 curve
  it('Encrypt and sign message', async function () {
    const romeoPrivate = await load_priv_key('romeo');
    const julietPublic = await load_pub_key('juliet');
-    const encrypted = await openpgp.encrypt({ publicKeys: [julietPublic], privateKeys: [romeoPrivate], message: await openpgp.createMessage({ text: data.romeo.message }) });
+    const encrypted = await openpgp.encrypt({ encryptionKeys: [julietPublic], signingKeys: [romeoPrivate], message: await openpgp.createMessage({ text: data.romeo.message }) });
    const message = await openpgp.readMessage({ armoredMessage: encrypted });
    const romeoPublic = await load_pub_key('romeo');
    const julietPrivate = await load_priv_key('juliet');
-    const result = await openpgp.decrypt({ privateKeys: julietPrivate, publicKeys: [romeoPublic], message: message });
+    const result = await openpgp.decrypt({ decryptionKeys: julietPrivate, verificationKeys: [romeoPublic], message: message });
    expect(result).to.exist;
    expect(result.data).to.equal(data.romeo.message);
--- a/test/general/key.js
+++ b/test/general/key.js
@ -2167,12 +2167,12 @@ function versionSpecificTests() {
    const { key } = await openpgp.generateKey(opt);
    return openpgp.encrypt({
      message: await openpgp.createMessage({ text: 'hello' }),
-      publicKeys: key
+      encryptionKeys: key
    }).then(async armoredMessage => openpgp.decrypt({
      message: await openpgp.readMessage({ armoredMessage }),
-      privateKeys: key
+      decryptionKeys: key
    })).catch(function(err) {
-      expect(err.message).to.match(/Private key is not decrypted./);
+      expect(err.message).to.match(/Decryption key is not decrypted./);
    });
  });
@ -2600,9 +2600,9 @@ function versionSpecificTests() {
      expect(newKey.users.length).to.equal(1);
      expect(newKey.users[0].userID.userID).to.equal('test <a@b.com>');
      expect(newKey.isDecrypted()).to.be.true;
-      return openpgp.sign({ message: await openpgp.createCleartextMessage({ text: 'hello' }), privateKeys: newKey, armor: true }).then(async function(signed) {
+      return openpgp.sign({ message: await openpgp.createCleartextMessage({ text: 'hello' }), signingKeys: newKey, armor: true }).then(async function(signed) {
        return openpgp.verify(
-          { message: await openpgp.readCleartextMessage({ cleartextMessage: signed }), publicKeys: newKey.toPublic() }
+          { message: await openpgp.readCleartextMessage({ cleartextMessage: signed }), verificationKeys: newKey.toPublic() }
        ).then(async function(verified) {
          expect(verified.signatures[0].valid).to.be.true;
          const newSigningKey = await newKey.getSigningKey();
@ -2641,8 +2641,8 @@ function versionSpecificTests() {
      opt.userIDs = userID2;
      return openpgp.reformatKey(opt).then(async function(newKey) {
        newKey = newKey.key;
-        return openpgp.encrypt({ message: await openpgp.createMessage({ text: 'hello' }), publicKeys: newKey.toPublic(), privateKeys: newKey, armor: true }).then(async function(encrypted) {
+        return openpgp.encrypt({ message: await openpgp.createMessage({ text: 'hello' }), encryptionKeys: newKey.toPublic(), signingKeys: newKey, armor: true }).then(async function(encrypted) {
-          return openpgp.decrypt({ message: await openpgp.readMessage({ armoredMessage: encrypted }), privateKeys: newKey, publicKeys: newKey.toPublic() }).then(function(decrypted) {
+          return openpgp.decrypt({ message: await openpgp.readMessage({ armoredMessage: encrypted }), decryptionKeys: newKey, verificationKeys: newKey.toPublic() }).then(function(decrypted) {
            expect(decrypted.data).to.equal('hello');
            expect(decrypted.signatures[0].valid).to.be.true;
          });
@ -2878,12 +2878,12 @@ module.exports = () => describe('Key', function() {
    await expect(openpgp.decrypt({
      message: await openpgp.readMessage({ armoredMessage: encryptedRsaSignOnly }),
-      privateKeys: key
+      decryptionKeys: key
    })).to.be.rejectedWith(/Session key decryption failed/);
    await expect(openpgp.decrypt({
      message: await openpgp.readMessage({ armoredMessage: encryptedRsaSignOnly }),
-      privateKeys: key,
+      decryptionKeys: key,
      config: { allowInsecureDecryptionWithSigningKeys: true }
    })).to.be.fulfilled;
  });
@ -3021,7 +3021,7 @@ module.exports = () => describe('Key', function() {
    expect(key.primaryKey.isDummy()).to.be.false;
    key.primaryKey.makeDummy();
    expect(key.primaryKey.isDummy()).to.be.true;
-    await expect(openpgp.sign({ message: await openpgp.createMessage({ text: 'test' }), privateKeys: [key], config: { minRSABits: 1024 } })).to.be.fulfilled;
+    await expect(openpgp.sign({ message: await openpgp.createMessage({ text: 'test' }), signingKeys: [key], config: { minRSABits: 1024 } })).to.be.fulfilled;
  });
  it('makeDummy() - should work for encrypted keys', async function() {
@ -3410,7 +3410,7 @@ VYGdb3eNlV8CfoEC
    const publicKey = await openpgp.readKey({ armoredKey: multi_uid_key });
    // Set second user to prefer aes128. We should select this user by default, since it was created later.
    publicKey.users[1].selfCertifications[0].preferredSymmetricAlgorithms = [openpgp.enums.symmetric.aes128];
-    const sessionKey = await openpgp.generateSessionKey({ publicKeys: publicKey });
+    const sessionKey = await openpgp.generateSessionKey({ encryptionKeys: publicKey });
    expect(sessionKey.algorithm).to.equal('aes128');
  });
@ -3420,7 +3420,7 @@ VYGdb3eNlV8CfoEC
    publicKey.users[0].selfCertifications[0].isPrimaryUserID = true;
    // Set first user to prefer aes128.
    publicKey.users[0].selfCertifications[0].preferredSymmetricAlgorithms = [openpgp.enums.symmetric.aes128];
-    const sessionKey = await openpgp.generateSessionKey({ publicKeys: publicKey });
+    const sessionKey = await openpgp.generateSessionKey({ encryptionKeys: publicKey });
    expect(sessionKey.algorithm).to.equal('aes128');
  });
@ -3434,14 +3434,14 @@ VYGdb3eNlV8CfoEC
    publicKey.users[0].selfCertifications[0].isPrimaryUserID = true;
    // Set second user to prefer aes128. We will select this user.
    publicKey.users[1].selfCertifications[0].preferredSymmetricAlgorithms = [openpgp.enums.symmetric.aes128];
-    const sessionKey = await openpgp.generateSessionKey({ publicKeys: publicKey, toUserIDs: { name: 'Test User', email: 'b@c.com' } });
+    const sessionKey = await openpgp.generateSessionKey({ encryptionKeys: publicKey, encryptionUserIDs: { name: 'Test User', email: 'b@c.com' } });
    expect(sessionKey.algorithm).to.equal('aes128');
    const config = { minRSABits: 1024 };
    await openpgp.encrypt({
-      message: await openpgp.createMessage({ text: 'hello' }), publicKeys: publicKey, privateKeys: privateKey, toUserIDs: { name: 'Test User', email: 'b@c.com' }, armor: false, config
+      message: await openpgp.createMessage({ text: 'hello' }), encryptionKeys: publicKey, signingKeys: privateKey, encryptionUserIDs: { name: 'Test User', email: 'b@c.com' }, armor: false, config
    });
    await expect(openpgp.encrypt({
-      message: await openpgp.createMessage({ text: 'hello' }), publicKeys: publicKey, privateKeys: privateKey, toUserIDs: { name: 'Test User', email: 'c@c.com' }, armor: false, config
+      message: await openpgp.createMessage({ text: 'hello' }), encryptionKeys: publicKey, signingKeys: privateKey, encryptionUserIDs: { name: 'Test User', email: 'c@c.com' }, armor: false, config
    })).to.be.rejectedWith('Could not find user that matches that user ID');
  });
@ -3452,7 +3452,7 @@ VYGdb3eNlV8CfoEC
      privateKey: await openpgp.readKey({ armoredKey: uidlessKey }),
      passphrase: 'correct horse battery staple'
    });
-    await expect(openpgp.encrypt({ message: await openpgp.createMessage({ text: 'hello' }), publicKeys: publicKey, privateKeys: privateKey, armor: false })).to.be.rejectedWith('Could not find primary user');
+    await expect(openpgp.encrypt({ message: await openpgp.createMessage({ text: 'hello' }), encryptionKeys: publicKey, signingKeys: privateKey, armor: false })).to.be.rejectedWith('Could not find primary user');
  });
  it('Sign - specific user', async function() {
@ -3472,17 +3472,17 @@ VYGdb3eNlV8CfoEC
    privateKey.users[1].selfCertifications[0].preferredHashAlgorithms = [openpgp.enums.hash.sha512];
    const config = { minRSABits: 1024 };
    const signed = await openpgp.sign({
-      message: await openpgp.createMessage({ text: 'hello' }), privateKeys: privateKey, fromUserIDs: { name: 'Test McTestington', email: 'test@example.com' }, armor: false, config
+      message: await openpgp.createMessage({ text: 'hello' }), signingKeys: privateKey, signingUserIDs: { name: 'Test McTestington', email: 'test@example.com' }, armor: false, config
    });
    const signature = await openpgp.readMessage({ binaryMessage: signed });
    expect(signature.packets[0].hashAlgorithm).to.equal(openpgp.enums.hash.sha512);
    const encrypted = await openpgp.encrypt({
-      message: await openpgp.createMessage({ text: 'hello' }), passwords: 'test', privateKeys: privateKey, fromUserIDs: { name: 'Test McTestington', email: 'test@example.com' }, armor: false, config
+      message: await openpgp.createMessage({ text: 'hello' }), passwords: 'test', signingKeys: privateKey, signingUserIDs: { name: 'Test McTestington', email: 'test@example.com' }, armor: false, config
    });
    const { signatures } = await openpgp.decrypt({ message: await openpgp.readMessage({ binaryMessage: encrypted }), passwords: 'test' });
    expect(signatures[0].signature.packets[0].hashAlgorithm).to.equal(openpgp.enums.hash.sha512);
    await expect(openpgp.encrypt({
-      message: await openpgp.createMessage({ text: 'hello' }), publicKeys: publicKey, privateKeys: privateKey, fromUserIDs: { name: 'Not Test McTestington', email: 'test@example.com' }, armor: false, config
+      message: await openpgp.createMessage({ text: 'hello' }), encryptionKeys: publicKey, signingKeys: privateKey, signingUserIDs: { name: 'Not Test McTestington', email: 'test@example.com' }, armor: false, config
    })).to.be.rejectedWith('Could not find user that matches that user ID');
  });
@ -3518,7 +3518,7 @@ VYGdb3eNlV8CfoEC
  it('Reject encryption with revoked primary user', async function() {
    const key = await openpgp.readKey({ armoredKey: pub_revoked_subkeys });
-    return openpgp.encrypt({ publicKeys: [key], message: await openpgp.createMessage({ text: 'random data' }) }).then(() => {
+    return openpgp.encrypt({ encryptionKeys: [key], message: await openpgp.createMessage({ text: 'random data' }) }).then(() => {
      throw new Error('encryptSessionKey should not encrypt with revoked public key');
    }).catch(function(error) {
      expect(error.message).to.equal('Error encrypting message: Primary user is revoked');
@ -3529,7 +3529,7 @@ VYGdb3eNlV8CfoEC
    const key = await openpgp.readKey({ armoredKey: pub_revoked_subkeys });
    key.revocationSignatures = [];
    key.users[0].revocationSignatures = [];
-    return openpgp.encrypt({ publicKeys: [key], message: await openpgp.createMessage({ text: 'random data' }), date: new Date(1386842743000) }).then(() => {
+    return openpgp.encrypt({ encryptionKeys: [key], message: await openpgp.createMessage({ text: 'random data' }), date: new Date(1386842743000) }).then(() => {
      throw new Error('encryptSessionKey should not encrypt with revoked public key');
    }).catch(error => {
      expect(error.message).to.equal('Error encrypting message: Could not find valid encryption key packet in key ' + key.getKeyID().toHex() + ': Subkey is revoked');
@ -3538,7 +3538,7 @@ VYGdb3eNlV8CfoEC
  it('Reject encryption with key revoked with appended revocation cert', async function() {
    const key = await openpgp.readKey({ armoredKey: pub_revoked_with_cert });
-    return openpgp.encrypt({ publicKeys: [key], message: await openpgp.createMessage({ text: 'random data' }) }).then(() => {
+    return openpgp.encrypt({ encryptionKeys: [key], message: await openpgp.createMessage({ text: 'random data' }) }).then(() => {
      throw new Error('encryptSessionKey should not encrypt with revoked public key');
    }).catch(function(error) {
      expect(error.message).to.equal('Error encrypting message: Primary key is revoked');
@ -3766,9 +3766,9 @@ VYGdb3eNlV8CfoEC
      expect(subKey.getAlgorithmInfo().algorithm).to.be.equal('eddsa');
      await subKey.verify(newPrivateKey.primaryKey);
      expect(await newPrivateKey.getSigningKey()).to.be.equal(subKey);
-      const signed = await openpgp.sign({ message: await openpgp.createMessage({ text: 'the data to signed' }), privateKeys: newPrivateKey, armor:false });
+      const signed = await openpgp.sign({ message: await openpgp.createMessage({ text: 'the data to signed' }), signingKeys: newPrivateKey, armor:false });
      const message = await openpgp.readMessage({ binaryMessage: signed });
-      const { signatures } = await openpgp.verify({ message, publicKeys: [newPrivateKey.toPublic()] });
+      const { signatures } = await openpgp.verify({ message, verificationKeys: [newPrivateKey.toPublic()] });
      expect(signatures).to.exist;
      expect(signatures.length).to.be.equal(1);
      expect(signatures[0].keyID.toHex()).to.be.equal(subKey.getKeyID().toHex());
@ -3788,14 +3788,14 @@ VYGdb3eNlV8CfoEC
      const publicKey = newPrivateKey.toPublic();
      await subKey.verify(newPrivateKey.primaryKey);
      expect(await newPrivateKey.getEncryptionKey()).to.be.equal(subKey);
-      const encrypted = await openpgp.encrypt({ message: await openpgp.createMessage({ text: vData }), publicKeys: publicKey, armor:false });
+      const encrypted = await openpgp.encrypt({ message: await openpgp.createMessage({ text: vData }), encryptionKeys: publicKey, armor:false });
      expect(encrypted).to.be.exist;
      const message = await openpgp.readMessage({ binaryMessage: encrypted });
      const pkSessionKeys = message.packets.filterByTag(openpgp.enums.packet.publicKeyEncryptedSessionKey);
      expect(pkSessionKeys).to.exist;
      expect(pkSessionKeys.length).to.be.equal(1);
      expect(pkSessionKeys[0].publicKeyID.toHex()).to.be.equals(subKey.keyPacket.getKeyID().toHex());
-      const decrypted = await openpgp.decrypt({ message, privateKeys: newPrivateKey });
+      const decrypted = await openpgp.decrypt({ message, decryptionKeys: newPrivateKey });
      expect(decrypted).to.exist;
      expect(decrypted.data).to.be.equal(vData);
    });
@ -3814,9 +3814,9 @@ VYGdb3eNlV8CfoEC
      expect(subKey.getAlgorithmInfo().algorithm).to.be.equal('rsaEncryptSign');
      await subKey.verify(newPrivateKey.primaryKey);
      expect(await newPrivateKey.getSigningKey()).to.be.equal(subKey);
-      const signed = await openpgp.sign({ message: await openpgp.createMessage({ text: 'the data to signed' }), privateKeys: newPrivateKey, armor:false });
+      const signed = await openpgp.sign({ message: await openpgp.createMessage({ text: 'the data to signed' }), signingKeys: newPrivateKey, armor:false });
      const message = await openpgp.readMessage({ binaryMessage: signed });
-      const { signatures } = await openpgp.verify({ message, publicKeys: [newPrivateKey.toPublic()] });
+      const { signatures } = await openpgp.verify({ message, verificationKeys: [newPrivateKey.toPublic()] });
      expect(signatures).to.exist;
      expect(signatures.length).to.be.equal(1);
      expect(signatures[0].keyID.toHex()).to.be.equal(subKey.getKeyID().toHex());
@ -3836,14 +3836,14 @@ VYGdb3eNlV8CfoEC
      const publicKey = newPrivateKey.toPublic();
      const vData = 'the data to encrypted!';
      expect(await newPrivateKey.getEncryptionKey()).to.be.equal(subKey);
-      const encrypted = await openpgp.encrypt({ message: await openpgp.createMessage({ text: vData }), publicKeys: publicKey, armor:false });
+      const encrypted = await openpgp.encrypt({ message: await openpgp.createMessage({ text: vData }), encryptionKeys: publicKey, armor:false });
      expect(encrypted).to.be.exist;
      const message = await openpgp.readMessage({ binaryMessage: encrypted });
      const pkSessionKeys = message.packets.filterByTag(openpgp.enums.packet.publicKeyEncryptedSessionKey);
      expect(pkSessionKeys).to.exist;
      expect(pkSessionKeys.length).to.be.equal(1);
      expect(pkSessionKeys[0].publicKeyID.toHex()).to.be.equals(subKey.keyPacket.getKeyID().toHex());
-      const decrypted = await openpgp.decrypt({ message, privateKeys: newPrivateKey });
+      const decrypted = await openpgp.decrypt({ message, decryptionKeys: newPrivateKey });
      expect(decrypted).to.exist;
      expect(decrypted.data).to.be.equal(vData);
    });
--- a/test/general/openpgp.js
+++ b/test/general/openpgp.js
--- a/test/general/signature.js
+++ b/test/general/signature.js
@ -859,7 +859,7 @@ hUhMKMuiM3pRwdIyDOItkUWQmjEEw7/XmhgInkXsCw==
      rejectMessageHashAlgorithms: new Set([openpgp.enums.hash.md5, openpgp.enums.hash.ripemd]),
      rejectPublicKeyAlgorithms: new Set()
    };
-    const decrypted = await openpgp.decrypt({ privateKeys: privateKey, publicKeys: publicKey, message, config });
+    const decrypted = await openpgp.decrypt({ decryptionKeys: privateKey, verificationKeys: publicKey, message, config });
    expect(decrypted.data).to.exist;
    expect(decrypted.signatures[0].valid).to.be.true;
    expect(decrypted.signatures[0].signature.packets.length).to.equal(1);
@ -880,14 +880,14 @@ hUhMKMuiM3pRwdIyDOItkUWQmjEEw7/XmhgInkXsCw==
      const decryptedDummyKey = await openpgp.decryptKey({ privateKey: dummyKey, passphrase });
      expect(decryptedDummyKey.isDecrypted()).to.be.true;
      // decrypting with a secret subkey works
-      const msg = await openpgp.decrypt({ message, privateKeys: decryptedDummyKey, publicKeys: publicKey, config: { rejectPublicKeyAlgorithms: new Set() } });
+      const msg = await openpgp.decrypt({ message, decryptionKeys: decryptedDummyKey, verificationKeys: publicKey, config: { rejectPublicKeyAlgorithms: new Set() } });
      expect(msg.signatures).to.exist;
      expect(msg.signatures).to.have.length(1);
      expect(msg.signatures[0].valid).to.be.true;
      expect(msg.signatures[0].signature.packets.length).to.equal(1);
      // secret key operations involving the primary key should fail
      await expect(openpgp.sign({
-        message: await openpgp.createMessage({ text: 'test' }), privateKeys: decryptedDummyKey, config: { rejectPublicKeyAlgorithms: new Set() }
+        message: await openpgp.createMessage({ text: 'test' }), signingKeys: decryptedDummyKey, config: { rejectPublicKeyAlgorithms: new Set() }
      })).to.eventually.be.rejectedWith(/Cannot sign with a gnu-dummy key/);
      await expect(
        openpgp.reformatKey({ userIDs: { name: 'test' }, privateKey: decryptedDummyKey })
@ -907,7 +907,7 @@ hUhMKMuiM3pRwdIyDOItkUWQmjEEw7/XmhgInkXsCw==
      privateKey: await openpgp.readKey({ armoredKey: flowcrypt_stripped_key }),
      passphrase: 'FlowCrypt'
    });
-    const sig = await openpgp.sign({ message: await openpgp.createMessage({ text: 'test' }), privateKeys: dummyKey, date: new Date('2018-12-17T03:24:00') });
+    const sig = await openpgp.sign({ message: await openpgp.createMessage({ text: 'test' }), signingKeys: dummyKey, date: new Date('2018-12-17T03:24:00') });
    expect(sig).to.match(/-----END PGP MESSAGE-----\n$/);
  });
@ -984,7 +984,7 @@ hUhMKMuiM3pRwdIyDOItkUWQmjEEw7/XmhgInkXsCw==
    });
    return openpgp.decrypt({
-      privateKeys: privKey, publicKeys: pubKey , message, config: { minRSABits: 1024 }
+      decryptionKeys: privKey, verificationKeys: pubKey , message, config: { minRSABits: 1024 }
    }).then(decrypted => {
      expect(decrypted.data).to.exist;
      expect(decrypted.data).to.equal(plaintext);
@ -1021,7 +1021,7 @@ hUhMKMuiM3pRwdIyDOItkUWQmjEEw7/XmhgInkXsCw==
    expect(pubKey2.getKeys(keyIDs[1])).to.not.be.empty;
    expect(pubKey3.getKeys(keyIDs[0])).to.not.be.empty;
-    const { data, signatures } = await openpgp.verify({ message: sMsg, publicKeys: [pubKey2, pubKey3], config: { minRSABits: 1024 } });
+    const { data, signatures } = await openpgp.verify({ message: sMsg, verificationKeys: [pubKey2, pubKey3], config: { minRSABits: 1024 } });
    expect(data).to.equal(plaintext);
    expect(signatures).to.exist;
    expect(signatures).to.have.length(2);
@ -1034,7 +1034,7 @@ hUhMKMuiM3pRwdIyDOItkUWQmjEEw7/XmhgInkXsCw==
  it('Verify fails with signed message with critical notations', async function() {
    const message = await openpgp.readMessage({ armoredMessage: signature_with_critical_notation });
    const key = await openpgp.readKey({ armoredKey: pub_key_arm2 });
-    const { signatures: [sig] } = await openpgp.verify({ message, publicKeys: key, config: { minRSABits: 1024 } });
+    const { signatures: [sig] } = await openpgp.verify({ message, verificationKeys: key, config: { minRSABits: 1024 } });
    expect(sig.valid).to.be.false;
    expect(sig.error).to.match(/Unknown critical notation: test@example.com/);
  });
@ -1044,7 +1044,7 @@ hUhMKMuiM3pRwdIyDOItkUWQmjEEw7/XmhgInkXsCw==
    const key = await openpgp.readKey({ armoredKey: pub_key_arm2 });
    const config = { knownNotations: ['test@example.com'], minRSABits: 1024 };
-    const { signatures: [sig] } = await openpgp.verify({ message, publicKeys: key, config });
+    const { signatures: [sig] } = await openpgp.verify({ message, verificationKeys: key, config });
    expect(sig.valid).to.be.true;
  });
@ -1082,7 +1082,7 @@ hUhMKMuiM3pRwdIyDOItkUWQmjEEw7/XmhgInkXsCw==
    expect(pubKey2.getKeys(keyIDs[0])).to.not.be.empty;
    expect(pubKey3.getKeys(keyIDs[1])).to.not.be.empty;
-    return openpgp.verify({ publicKeys:[pubKey2, pubKey3], message, config: { minRSABits: 1024 } }).then(function(cleartextSig) {
+    return openpgp.verify({ verificationKeys:[pubKey2, pubKey3], message, config: { minRSABits: 1024 } }).then(function(cleartextSig) {
      expect(cleartextSig).to.exist;
      expect(cleartextSig.data).to.equal(plaintext);
      expect(cleartextSig.signatures).to.have.length(2);
@ -1156,7 +1156,7 @@ zmuVOdNuWQqxT9Sqa84=
    expect(pubKey.getKeys(keyIDs[0])).to.not.be.empty;
    const cleartextSig = await openpgp.verify({
-      publicKeys:[pubKey],
+      verificationKeys:[pubKey],
      message,
      config: { minRSABits: 1024, rejectMessageHashAlgorithms: new Set() }
    });
@ -1189,7 +1189,7 @@ yYDnCgA=
      const keyIDs = message.getSigningKeyIDs();
      expect(pubKey.getKeys(keyIDs[0])).to.not.be.empty;
-      return openpgp.verify({ publicKeys: [pubKey], message, config: { minRSABits: 1024 } }).then(({ data, signatures }) => {
+      return openpgp.verify({ verificationKeys: [pubKey], message, config: { minRSABits: 1024 } }).then(({ data, signatures }) => {
        expect(data).to.equal(plaintext);
        expect(signatures).to.have.length(1);
        expect(signatures[0].valid).to.equal(!openpgp.config.rejectMessageHashAlgorithms.has(openpgp.enums.hash.sha1));
@ -1227,7 +1227,7 @@ yYDnCgA=
      const keyIDs = message.getSigningKeyIDs();
      expect(pubKey.getKeys(keyIDs[0])).to.not.be.empty;
-      return openpgp.verify({ publicKeys: [pubKey], message, config: { minRSABits: 1024 } }).then(async function(cleartextSig) {
+      return openpgp.verify({ verificationKeys: [pubKey], message, config: { minRSABits: 1024 } }).then(async function(cleartextSig) {
        expect(cleartextSig).to.exist;
        expect(await stream.readToEnd(cleartextSig.data)).to.equal(plaintext);
        expect(cleartextSig.signatures).to.have.length(1);
@ -1259,7 +1259,7 @@ hkJiXopCSWKSlQInL1devkJJUWJmTmZeugJYlpdLAagQJM0JpsCqIQZwKgAA
      const keyIDs = message.getSigningKeyIDs();
      expect(pubKey.getKeys(keyIDs[0])).to.not.be.empty;
-      return openpgp.verify({ publicKeys: [pubKey], message, config: { minRSABits: 1024 } }).then(async ({ data, signatures }) => {
+      return openpgp.verify({ verificationKeys: [pubKey], message, config: { minRSABits: 1024 } }).then(async ({ data, signatures }) => {
        expect(data).to.equal(plaintext);
        expect(signatures).to.have.length(0);
      });
@ -1293,7 +1293,7 @@ hkJiXopCSWKSlQInL1devkJJUWJmTmZeugJYlpdLAagQJM0JpsCqIQZwKgAA
      const keyIDs = message.getSigningKeyIDs();
      expect(pubKey.getKeys(keyIDs[0])).to.not.be.empty;
-      return openpgp.verify({ publicKeys: [pubKey], message, config: { minRSABits: 1024 } }).then(async ({ data, signatures }) => {
+      return openpgp.verify({ verificationKeys: [pubKey], message, config: { minRSABits: 1024 } }).then(async ({ data, signatures }) => {
        expect(await stream.readToEnd(data)).to.equal(plaintext);
        expect(signatures).to.have.length(1);
        await expect(signatures[0].verified).to.be.rejectedWith('Corresponding signature packet missing');
@ -1325,10 +1325,10 @@ hkJiXopCSWKSlQInL1devkJJUWJmTmZeugJYlpdLAagQJM0JpsCqIQZwKgAA
    });
    const config = { minRSABits: 1024 };
-    return openpgp.sign({ privateKeys: privKey, message: await openpgp.createCleartextMessage({ text: plaintext }), config }).then(async signed => {
+    return openpgp.sign({ signingKeys: privKey, message: await openpgp.createCleartextMessage({ text: plaintext }), config }).then(async signed => {
      const message = await openpgp.readCleartextMessage({ cleartextMessage: signed });
-      return openpgp.verify({ publicKeys:[pubKey], message, config });
+      return openpgp.verify({ verificationKeys:[pubKey], message, config });
    }).then(function({ data, signatures }) {
      expect(data).to.equal(plaintext.replace(/[ \t\r]+$/mg, ''));
@ -1347,10 +1347,10 @@ hkJiXopCSWKSlQInL1devkJJUWJmTmZeugJYlpdLAagQJM0JpsCqIQZwKgAA
    });
    const config = { minRSABits: 1024 };
-    return openpgp.sign({ privateKeys: privKey, message: await openpgp.createCleartextMessage({ text: plaintext }), config }).then(async signed => {
+    return openpgp.sign({ signingKeys: privKey, message: await openpgp.createCleartextMessage({ text: plaintext }), config }).then(async signed => {
      const message = await openpgp.readCleartextMessage({ cleartextMessage: signed });
-      return openpgp.verify({ publicKeys: pubKey, message, config });
+      return openpgp.verify({ verificationKeys: pubKey, message, config });
    }).then(function({ data, signatures }) {
      expect(data).to.equal(plaintext);
@ -1369,10 +1369,10 @@ hkJiXopCSWKSlQInL1devkJJUWJmTmZeugJYlpdLAagQJM0JpsCqIQZwKgAA
    });
    const config = { minRSABits: 1024 };
-    return openpgp.sign({ privateKeys: privKey, message: await openpgp.createCleartextMessage({ text: plaintext }), config }).then(async signed => {
+    return openpgp.sign({ signingKeys: privKey, message: await openpgp.createCleartextMessage({ text: plaintext }), config }).then(async signed => {
      const message = await openpgp.readCleartextMessage({ cleartextMessage: signed });
-      return openpgp.verify({ publicKeys: pubKey, message, config });
+      return openpgp.verify({ verificationKeys: pubKey, message, config });
    }).then(function({ data, signatures }) {
      expect(data).to.equal(plaintext.replace(/[ \t]+$/mg, ''));
@ -1391,10 +1391,10 @@ hkJiXopCSWKSlQInL1devkJJUWJmTmZeugJYlpdLAagQJM0JpsCqIQZwKgAA
    });
    const config = { minRSABits: 1024 };
-    return openpgp.sign({ privateKeys: privKey, message: await openpgp.createMessage({ binary: plaintext }), config }).then(async signed => {
+    return openpgp.sign({ signingKeys: privKey, message: await openpgp.createMessage({ binary: plaintext }), config }).then(async signed => {
      const message = await openpgp.readMessage({ armoredMessage: signed });
-      return openpgp.verify({ publicKeys: pubKey, message, format: 'binary', config });
+      return openpgp.verify({ verificationKeys: pubKey, message, format: 'binary', config });
    }).then(function({ data, signatures }) {
      expect(data).to.deep.equal(plaintext);
@ -1413,10 +1413,10 @@ hkJiXopCSWKSlQInL1devkJJUWJmTmZeugJYlpdLAagQJM0JpsCqIQZwKgAA
    });
    const config = { minRSABits: 1024 };
-    return openpgp.sign({ privateKeys: privKey, message: await openpgp.createMessage({ binary: plaintext }), armor: false, config }).then(async signed => {
+    return openpgp.sign({ signingKeys: privKey, message: await openpgp.createMessage({ binary: plaintext }), armor: false, config }).then(async signed => {
      const message = await openpgp.readMessage({ binaryMessage: signed });
-      return openpgp.verify({ publicKeys: pubKey, message, format: 'binary', config });
+      return openpgp.verify({ verificationKeys: pubKey, message, format: 'binary', config });
    }).then(function({ data, signatures }) {
      expect(data).to.deep.equal(plaintext);
@ -1435,9 +1435,9 @@ hkJiXopCSWKSlQInL1devkJJUWJmTmZeugJYlpdLAagQJM0JpsCqIQZwKgAA
    });
    const config = { minRSABits: 1024 };
-    return openpgp.sign({ privateKeys: privKey, message: await openpgp.createMessage({ text: plaintext }), detached: true, config }).then(async armoredSignature => {
+    return openpgp.sign({ signingKeys: privKey, message: await openpgp.createMessage({ text: plaintext }), detached: true, config }).then(async armoredSignature => {
      const signature = await openpgp.readSignature({ armoredSignature });
-      return openpgp.verify({ publicKeys: pubKey, message: await openpgp.createMessage({ binary: util.encodeUTF8(plaintext) }), signature, config });
+      return openpgp.verify({ verificationKeys: pubKey, message: await openpgp.createMessage({ binary: util.encodeUTF8(plaintext) }), signature, config });
    }).then(function({ data, signatures }) {
      expect(data).to.equal(plaintext);
      expect(signatures).to.have.length(1);
@ -1456,9 +1456,9 @@ hkJiXopCSWKSlQInL1devkJJUWJmTmZeugJYlpdLAagQJM0JpsCqIQZwKgAA
    });
    const config = { minRSABits: 1024 };
-    return openpgp.sign({ privateKeys: privKey, message:await openpgp.createMessage({ binary: binaryPlaintext }), detached: true, config }).then(async armoredSignature => {
+    return openpgp.sign({ signingKeys: privKey, message:await openpgp.createMessage({ binary: binaryPlaintext }), detached: true, config }).then(async armoredSignature => {
      const signature = await openpgp.readSignature({ armoredSignature });
-      return openpgp.verify({ publicKeys: pubKey, message: await openpgp.createMessage({ text: plaintext }), signature, config });
+      return openpgp.verify({ verificationKeys: pubKey, message: await openpgp.createMessage({ text: plaintext }), signature, config });
    }).then(function({ data, signatures }) {
      expect(data).to.equal(plaintext);
@ -1477,13 +1477,13 @@ hkJiXopCSWKSlQInL1devkJJUWJmTmZeugJYlpdLAagQJM0JpsCqIQZwKgAA
    });
    const config = { minRSABits: 1024 };
-    return openpgp.sign({ privateKeys: privKey, message: await openpgp.createMessage({ text: plaintext }), detached: true, config }).then(async armoredSignature => {
+    return openpgp.sign({ signingKeys: privKey, message: await openpgp.createMessage({ text: plaintext }), detached: true, config }).then(async armoredSignature => {
      const signature = await openpgp.readSignature({ armoredSignature });
-      return openpgp.encrypt({ message: await openpgp.createMessage({ binary: util.encodeUTF8(plaintext) }), publicKeys: [pubKey], signature, config });
+      return openpgp.encrypt({ message: await openpgp.createMessage({ binary: util.encodeUTF8(plaintext) }), encryptionKeys: [pubKey], signature, config });
    }).then(async armoredMessage => {
      const message = await openpgp.readMessage({ armoredMessage });
-      return openpgp.decrypt({ message, privateKeys: [privKey], publicKeys: [pubKey], config });
+      return openpgp.decrypt({ message, decryptionKeys: [privKey], verificationKeys: [pubKey], config });
    }).then(function({ data, signatures }) {
      expect(data).to.equal(plaintext);
@ -1496,7 +1496,7 @@ hkJiXopCSWKSlQInL1devkJJUWJmTmZeugJYlpdLAagQJM0JpsCqIQZwKgAA
  it('Verify test with expired verification public key', async function() {
    const pubKey = await openpgp.readKey({ armoredKey: pub_expired });
    const message = await openpgp.readMessage({ armoredMessage: msg_sig_expired });
-    return openpgp.verify({ publicKeys:[pubKey], message:message }).then(function(verified) {
+    return openpgp.verify({ verificationKeys:[pubKey], message:message }).then(function(verified) {
      expect(verified).to.exist;
      expect(verified.signatures).to.have.length(1);
      expect(verified.signatures[0].valid).to.be.true;
@ -1507,7 +1507,7 @@ hkJiXopCSWKSlQInL1devkJJUWJmTmZeugJYlpdLAagQJM0JpsCqIQZwKgAA
  it('Verify test with expired verification public key and disable expiration checks using null date', async function() {
    const pubKey = await openpgp.readKey({ armoredKey: pub_expired });
    const message = await openpgp.readMessage({ armoredMessage: msg_sig_expired });
-    return openpgp.verify({ publicKeys:[pubKey], message:message, date: null }).then(function(verified) {
+    return openpgp.verify({ verificationKeys:[pubKey], message:message, date: null }).then(function(verified) {
      expect(verified).to.exist;
      expect(verified.signatures).to.have.length(1);
      expect(verified.signatures[0].valid).to.be.true;
@ -1598,7 +1598,7 @@ hkJiXopCSWKSlQInL1devkJJUWJmTmZeugJYlpdLAagQJM0JpsCqIQZwKgAA
    const message = await openpgp.createMessage({ text: content });
    await message.appendSignature(detachedSig);
-    const { data, signatures } = await openpgp.verify({ publicKeys:[publicKey], message, config: { minRSABits: 1024 } });
+    const { data, signatures } = await openpgp.verify({ verificationKeys:[publicKey], message, config: { minRSABits: 1024 } });
    expect(data).to.equal(content);
    expect(signatures).to.have.length(1);
    expect(signatures[0].valid).to.be.true;
@ -1616,9 +1616,9 @@ hkJiXopCSWKSlQInL1devkJJUWJmTmZeugJYlpdLAagQJM0JpsCqIQZwKgAA
    const opt = { rsaBits: 2048, userIDs: { name:'test', email:'a@b.com' }, passphrase: null };
    const { key: generatedKey } = await openpgp.generateKey(opt);
-    const armoredSignature = await openpgp.sign({ privateKeys: [generatedKey, privKey], message, detached: true, config: { minRSABits: 1024 } });
+    const armoredSignature = await openpgp.sign({ signingKeys: [generatedKey, privKey], message, detached: true, config: { minRSABits: 1024 } });
    const signature = await openpgp.readSignature({ armoredSignature });
-    const { data, signatures } = await openpgp.verify({ publicKeys: [generatedKey.toPublic(), pubKey], message, signature, config: { minRSABits: 1024 } });
+    const { data, signatures } = await openpgp.verify({ verificationKeys: [generatedKey.toPublic(), pubKey], message, signature, config: { minRSABits: 1024 } });
    expect(data).to.equal('hello');
    expect(await signatures[0].verified).to.be.true;
    expect(await signatures[1].verified).to.be.true;
@ -1763,8 +1763,8 @@ oaBUyhCKt8tz6Q==
    const key = await openpgp.readKey({ armoredKey });
    const decrypted = await openpgp.decrypt({
      message: await openpgp.readMessage({ armoredMessage: encrypted }),
-      publicKeys: key,
+      verificationKeys: key,
-      privateKeys: key,
+      decryptionKeys: key,
      config: { minRSABits: 1024 }
    });
    expect(decrypted.signatures[0].valid).to.be.true;
@ -1799,7 +1799,7 @@ j+GItrR+QbbN13ODlcR3hf66cwjLLsJCx5VcBaRspKF05O3ix/u9KVjJqtbi
 Ie6jnY0zP2ldtS4JmhKBa43qmOHCxHc=
 =7B58
 -----END PGP MESSAGE-----`;
-    const decrypted = await openpgp.decrypt({ message: await openpgp.readMessage({ armoredMessage: encrypted }), privateKeys: key, publicKeys: key.toPublic() });
+    const decrypted = await openpgp.decrypt({ message: await openpgp.readMessage({ armoredMessage: encrypted }), decryptionKeys: key, verificationKeys: key.toPublic() });
    expect(decrypted.signatures[0].valid).to.be.true;
  });
@ -1835,7 +1835,7 @@ JImeZLY02MctIpGZULbqgcUGK0P/yqrPL8Pe4lQM
 =Pacb
 -----END PGP SIGNATURE-----`;
    const message = await openpgp.readCleartextMessage({ cleartextMessage: signed });
-    const verified = await openpgp.verify({ publicKeys: key, message });
+    const verified = await openpgp.verify({ verificationKeys: key, message });
    expect(verified.signatures[0].valid).to.be.true;
  });
 });
--- a/test/general/streaming.js
+++ b/test/general/streaming.js
@ -240,7 +240,7 @@ function tests() {
  it('Sign: Input stream should be canceled when canceling encrypted stream', async function() {
    const signed = await openpgp.sign({
      message: await openpgp.createMessage({ binary: data }),
-      privateKeys: privKey,
+      signingKeys: privKey,
      config: { minRSABits: 1024 }
    });
    const reader = stream.getReader(signed);
@ -314,8 +314,8 @@ function tests() {
    try {
      const encrypted = await openpgp.encrypt({
        message: await openpgp.createMessage({ binary: data }),
-        publicKeys: pubKey,
+        encryptionKeys: pubKey,
-        privateKeys: privKey,
+        signingKeys: privKey,
        armor: false,
        config: { minRSABits: 1024 }
      });
@ -323,8 +323,8 @@ function tests() {
      const message = await openpgp.readMessage({ binaryMessage: encrypted });
      const decrypted = await openpgp.decrypt({
-        publicKeys: pubKey,
+        verificationKeys: pubKey,
-        privateKeys: privKey,
+        decryptionKeys: privKey,
        message,
        format: 'binary'
      });
@ -350,16 +350,16 @@ function tests() {
    try {
      const encrypted = await openpgp.encrypt({
        message: await openpgp.createMessage({ binary: data }),
-        publicKeys: pub,
+        encryptionKeys: pub,
-        privateKeys: priv,
+        signingKeys: priv,
        armor: false
      });
      expect(stream.isStream(encrypted)).to.equal(expectedType);
      const message = await openpgp.readMessage({ binaryMessage: encrypted });
      const decrypted = await openpgp.decrypt({
-        publicKeys: pub,
+        verificationKeys: pub,
-        privateKeys: priv,
+        decryptionKeys: priv,
        message,
        format: 'binary'
      });
@ -385,16 +385,16 @@ function tests() {
    try {
      const encrypted = await openpgp.encrypt({
        message: await openpgp.createMessage({ binary: data }),
-        publicKeys: pub,
+        encryptionKeys: pub,
-        privateKeys: priv,
+        signingKeys: priv,
        armor: false
      });
      expect(stream.isStream(encrypted)).to.equal(expectedType);
      const message = await openpgp.readMessage({ binaryMessage: encrypted });
      const decrypted = await openpgp.decrypt({
-        publicKeys: pub,
+        verificationKeys: pub,
-        privateKeys: priv,
+        decryptionKeys: priv,
        message,
        format: 'binary'
      });
@ -452,8 +452,8 @@ function tests() {
    try {
      const encrypted = await openpgp.encrypt({
        message: await openpgp.createMessage({ binary: data }),
-        publicKeys: pubKey,
+        encryptionKeys: pubKey,
-        privateKeys: privKey,
+        signingKeys: privKey,
        config: { minRSABits: 1024 }
      });
      expect(stream.isStream(encrypted)).to.equal(expectedType);
@ -467,8 +467,8 @@ function tests() {
        }), { encoding: 'utf8' })
      });
      const decrypted = await openpgp.decrypt({
-        publicKeys: pubKey,
+        verificationKeys: pubKey,
-        privateKeys: privKey,
+        decryptionKeys: privKey,
        message,
        format: 'binary'
      });
@ -489,8 +489,8 @@ function tests() {
    try {
      const encrypted = await openpgp.encrypt({
        message: await openpgp.createMessage({ binary: data }),
-        publicKeys: pubKey,
+        encryptionKeys: pubKey,
-        privateKeys: privKey,
+        signingKeys: privKey,
        config: { minRSABits: 1024 }
      });
      expect(stream.isStream(encrypted)).to.equal(expectedType);
@ -504,7 +504,7 @@ function tests() {
        }), { encoding: 'utf8' })
      });
      const decrypted = await openpgp.decrypt({
-        privateKeys: privKey,
+        decryptionKeys: privKey,
        message,
        format: 'binary'
      });
@ -523,7 +523,7 @@ function tests() {
  it('Sign/verify: Detect armor checksum error', async function() {
    const signed = await openpgp.sign({
      message: await openpgp.createMessage({ binary: data }),
-      privateKeys: privKey,
+      signingKeys: privKey,
      config: { minRSABits: 1024 }
    });
    expect(stream.isStream(signed)).to.equal(expectedType);
@ -537,7 +537,7 @@ function tests() {
      }), { encoding: 'utf8' })
    });
    const verified = await openpgp.verify({
-      publicKeys: pubKey,
+      verificationKeys: pubKey,
      message,
      format: 'binary',
      config: { minRSABits: 1024 }
@ -578,14 +578,14 @@ function tests() {
  it('Sign/verify: Input stream should be canceled when canceling verified stream', async function() {
    const signed = await openpgp.sign({
      message: await openpgp.createMessage({ binary: data }),
-      privateKeys: privKey,
+      signingKeys: privKey,
      config: { minRSABits: 1024 }
    });
    expect(stream.isStream(signed)).to.equal(expectedType);
    const message = await openpgp.readMessage({ armoredMessage: signed });
    const verified = await openpgp.verify({
-      publicKeys: pubKey,
+      verificationKeys: pubKey,
      message,
      format: 'binary',
      config: { minRSABits: 1024 }
@ -618,7 +618,7 @@ function tests() {
  it("Sign: Don't pull entire input stream when we're not pulling signed stream", async function() {
    const signed = await openpgp.sign({
      message: await openpgp.createMessage({ binary: data }),
-      privateKeys: privKey,
+      signingKeys: privKey,
      config: { minRSABits: 1024 }
    });
    expect(stream.isStream(signed)).to.equal(expectedType);
@ -633,13 +633,13 @@ function tests() {
  it("Sign/verify: Don't pull entire input stream when we're not pulling verified stream", async function() {
    const signed = await openpgp.sign({
      message: await openpgp.createMessage({ binary: data }),
-      privateKeys: privKey,
+      signingKeys: privKey,
      config: { minRSABits: 1024 }
    });
    expect(stream.isStream(signed)).to.equal(expectedType);
    const message = await openpgp.readMessage({ armoredMessage: signed });
    const verified = await openpgp.verify({
-      publicKeys: pubKey,
+      verificationKeys: pubKey,
      message,
      format: 'binary'
    });
@ -668,7 +668,7 @@ function tests() {
    });
    const signed = await openpgp.sign({
      message: await openpgp.createMessage({ binary: data }),
-      privateKeys: privKey,
+      signingKeys: privKey,
      detached: true,
      config: { minRSABits: 1024 }
    });
@ -677,7 +677,7 @@ function tests() {
    const signature = await openpgp.readSignature({ armoredSignature });
    const verified = await openpgp.verify({
      signature,
-      publicKeys: pubKey,
+      verificationKeys: pubKey,
      message: await openpgp.createMessage({ text: 'hello world' }),
      config: { minRSABits: 1024 }
    });
@ -709,7 +709,7 @@ function tests() {
    const signed = await openpgp.sign({
      message: await openpgp.createMessage({ binary: data }),
-      privateKeys: priv,
+      signingKeys: priv,
      detached: true
    });
    expect(stream.isStream(signed)).to.equal(expectedType);
@ -717,7 +717,7 @@ function tests() {
    const signature = await openpgp.readSignature({ armoredSignature });
    const verified = await openpgp.verify({
      signature,
-      publicKeys: pub,
+      verificationKeys: pub,
      message: await openpgp.createMessage({ text: 'hello world' })
    });
    expect(verified.data).to.equal('hello world');
@ -748,7 +748,7 @@ function tests() {
    const signed = await openpgp.sign({
      message: await openpgp.createMessage({ binary: data }),
-      privateKeys: priv,
+      signingKeys: priv,
      detached: true
    });
    expect(stream.isStream(signed)).to.equal(expectedType);
@ -756,7 +756,7 @@ function tests() {
    const signature = await openpgp.readSignature({ armoredSignature });
    const verified = await openpgp.verify({
      signature,
-      publicKeys: pub,
+      verificationKeys: pub,
      message: await openpgp.createMessage({ text: 'hello world' })
    });
    expect(verified.data).to.equal('hello world');
@ -767,7 +767,7 @@ function tests() {
  it("Detached sign is expected to pull entire input stream when we're not pulling signed stream", async function() {
    const signed = await openpgp.sign({
      message: await openpgp.createMessage({ binary: data }),
-      privateKeys: privKey,
+      signingKeys: privKey,
      detached: true,
      config: { minRSABits: 1024 }
    });
@ -782,7 +782,7 @@ function tests() {
  it('Detached sign: Input stream should be canceled when canceling signed stream', async function() {
    const signed = await openpgp.sign({
      message: await openpgp.createMessage({ binary: data }),
-      privateKeys: privKey,
+      signingKeys: privKey,
      detached: true,
      config: { minRSABits: 1024 }
    });
--- a/test/general/x25519.js
+++ b/test/general/x25519.js
@ -164,7 +164,7 @@ module.exports = () => (openpgp.config.ci ? describe.skip : describe)('X25519 Cr
    const name = 'light';
    const pub = await load_pub_key(name);
    const msg = await openpgp.readCleartextMessage({ cleartextMessage: data[name].message_signed });
-    return openpgp.verify({ publicKeys: [pub], message: msg }).then(function(result) {
+    return openpgp.verify({ verificationKeys: [pub], message: msg }).then(function(result) {
      expect(result).to.exist;
      expect(result.data).to.equal(data[name].message);
      expect(result.signatures).to.have.length(1);
@ -176,10 +176,10 @@ module.exports = () => (openpgp.config.ci ? describe.skip : describe)('X25519 Cr
    const name = 'light';
    const randomData = input.createSomeMessage();
    const priv = await load_priv_key(name);
-    const signed = await openpgp.sign({ privateKeys: [priv], message: await openpgp.createCleartextMessage({ text: randomData }) });
+    const signed = await openpgp.sign({ signingKeys: [priv], message: await openpgp.createCleartextMessage({ text: randomData }) });
    const pub = await load_pub_key(name);
    const msg = await openpgp.readCleartextMessage({ cleartextMessage: signed });
-    const result = await openpgp.verify({ publicKeys: [pub], message: msg });
+    const result = await openpgp.verify({ verificationKeys: [pub], message: msg });
    expect(result).to.exist;
    expect(result.data).to.equal(randomData.replace(/[ \t]+$/mg, ''));
@ -191,7 +191,7 @@ module.exports = () => (openpgp.config.ci ? describe.skip : describe)('X25519 Cr
    const light = await load_pub_key('light');
    const night = await load_priv_key('night');
    const msg = await openpgp.readMessage({ armoredMessage: data.night.message_encrypted });
-    const result = await openpgp.decrypt({ privateKeys: night, publicKeys: [light], message: msg });
+    const result = await openpgp.decrypt({ decryptionKeys: night, verificationKeys: [light], message: msg });
    expect(result).to.exist;
    expect(result.data).to.equal(data.night.message);
@ -203,12 +203,12 @@ module.exports = () => (openpgp.config.ci ? describe.skip : describe)('X25519 Cr
    const nightPublic = await load_pub_key('night');
    const lightPrivate = await load_priv_key('light');
    const randomData = input.createSomeMessage();
-    const encrypted = await openpgp.encrypt({ publicKeys: [nightPublic], privateKeys: [lightPrivate], message: await openpgp.createMessage({ text: randomData }) });
+    const encrypted = await openpgp.encrypt({ encryptionKeys: [nightPublic], signingKeys: [lightPrivate], message: await openpgp.createMessage({ text: randomData }) });
    const message = await openpgp.readMessage({ armoredMessage: encrypted });
    const lightPublic = await load_pub_key('light');
    const nightPrivate = await load_priv_key('night');
-    const result = await openpgp.decrypt({ privateKeys: nightPrivate, publicKeys: [lightPublic], message: message });
+    const result = await openpgp.decrypt({ decryptionKeys: nightPrivate, verificationKeys: [lightPublic], message: message });
    expect(result).to.exist;
    expect(result.data).to.equal(randomData);
@ -449,18 +449,18 @@ function omnibus() {
          }),
          // Signing message
          openpgp.sign(
-            { message: await openpgp.createCleartextMessage({ text: 'Hi, this is me, Hi!' }), privateKeys: hi }
+            { message: await openpgp.createCleartextMessage({ text: 'Hi, this is me, Hi!' }), signingKeys: hi }
          ).then(async signed => {
            const msg = await openpgp.readCleartextMessage({ cleartextMessage: signed });
            // Verifying signed message
            return Promise.all([
              openpgp.verify(
-                { message: msg, publicKeys: hi.toPublic() }
+                { message: msg, verificationKeys: hi.toPublic() }
              ).then(output => expect(output.signatures[0].valid).to.be.true),
              // Verifying detached signature
              openpgp.verify({
                message: await openpgp.createMessage({ text: 'Hi, this is me, Hi!' }),
-                publicKeys: hi.toPublic(),
+                verificationKeys: hi.toPublic(),
                signature: msg.signature
              }).then(output => expect(output.signatures[0].valid).to.be.true)
            ]);
@ -469,8 +469,8 @@ function omnibus() {
          openpgp.encrypt(
            {
              message: await openpgp.createMessage({ text: 'Hi, Hi wrote this but only Bye can read it!' }),
-              publicKeys: [bye.toPublic()],
+              encryptionKeys: [bye.toPublic()],
-              privateKeys: [hi]
+              signingKeys: [hi]
            }
          ).then(async encrypted => {
            const msg = await openpgp.readMessage({ armoredMessage: encrypted });
@ -478,8 +478,8 @@ function omnibus() {
            return openpgp.decrypt(
              {
                message: msg,
-                privateKeys: bye,
+                decryptionKeys: bye,
-                publicKeys: [hi.toPublic()]
+                verificationKeys: [hi.toPublic()]
              }
            ).then(output => {
              expect(output.data).to.equal('Hi, Hi wrote this but only Bye can read it!');
--- a/test/security/message_signature_bypass.js
+++ b/test/security/message_signature_bypass.js
@ -97,7 +97,7 @@ async function fakeSignature() {
  // faked message now verifies correctly
  const res = await openpgp.verify({
    message: fake,
-    publicKeys: await getOtherPubKey()
+    verificationKeys: await getOtherPubKey()
  });
  const { signatures } = res;
  expect(signatures).to.have.length(0);
--- a/test/security/preferred_algo_mismatch.js
+++ b/test/security/preferred_algo_mismatch.js
@ -43,5 +43,5 @@ EnxUPL95HuMKoVkf4w==
 module.exports = () => it('Does not accept message encrypted with algo not mentioned in preferred algorithms', async function() {
  const message = await openpgp.readMessage({ armoredMessage });
  const privKey = await openpgp.readKey({ armoredKey: privateKeyArmor });
-  await expect(openpgp.decrypt({ message, privateKeys: [privKey] })).to.be.rejectedWith('A non-preferred symmetric algorithm was used.');
+  await expect(openpgp.decrypt({ message, decryptionKeys: [privKey] })).to.be.rejectedWith('A non-preferred symmetric algorithm was used.');
 });
--- a/test/security/subkey_trust.js
+++ b/test/security/subkey_trust.js
@ -28,7 +28,7 @@ async function generateTestData() {
  attackerPrivKey.revocationSignatures = [];
  const signed = await openpgp.sign({
    message: await createCleartextMessage({ text: 'I am batman' }),
-    privateKeys: victimPrivKey,
+    signingKeys: victimPrivKey,
    armor: true
  });
  return {
@ -67,7 +67,7 @@ async function testSubkeyTrust() {
  fakeKey = await readKey({ armoredKey: await fakeKey.toPublic().armor() });
  const verifyAttackerIsBatman = await openpgp.verify({
    message: await readCleartextMessage({ cleartextMessage: signed }),
-    publicKeys: fakeKey
+    verificationKeys: fakeKey
  });
  expect(verifyAttackerIsBatman.signatures[0].keyID.equals(victimPubKey.subKeys[0].getKeyID())).to.be.true;
  expect(verifyAttackerIsBatman.signatures[0].valid).to.be.false;
--- a/test/security/unsigned_subpackets.js
+++ b/test/security/unsigned_subpackets.js
@ -59,7 +59,7 @@ async function makeKeyValid() {
    try {
      await openpgp.encrypt({
        message: await createMessage({ text: 'Hello', filename: 'hello.txt' }),
-        publicKeys: k
+        encryptionKeys: k
      });
      return false;
    } catch (e) {
--- a/test/typescript/definitions.ts
+++ b/test/typescript/definitions.ts
@ -30,7 +30,7 @@ import {
  // Encrypt text message (armored)
  const text = 'hello';
  const textMessage = await createMessage({ text: 'hello' });
-  const encryptedArmor: string = await encrypt({ publicKeys, message: textMessage });
+  const encryptedArmor: string = await encrypt({ encryptionKeys: publicKeys, message: textMessage });
  expect(encryptedArmor).to.include('-----BEGIN PGP MESSAGE-----');
  // Encrypt binary message (unarmored)
@ -38,18 +38,18 @@ import {
  binary[0] = 1;
  binary[1] = 2;
  const binaryMessage = await createMessage({ binary });
-  const encryptedBinary: Uint8Array = await encrypt({ publicKeys, message: binaryMessage, armor: false });
+  const encryptedBinary: Uint8Array = await encrypt({ encryptionKeys: publicKeys, message: binaryMessage, armor: false });
  expect(encryptedBinary).to.be.instanceOf(Uint8Array);
  // Decrypt text message (armored)
  const encryptedTextMessage = await readMessage({ armoredMessage: encryptedArmor });
-  const decryptedText = await decrypt({ privateKeys, message: encryptedTextMessage });
+  const decryptedText = await decrypt({ decryptionKeys: privateKeys, message: encryptedTextMessage });
  const decryptedTextData: string = decryptedText.data;
  expect(decryptedTextData).to.equal(text);
  // Decrypt binary message (unarmored)
  const encryptedBinaryMessage = await readMessage({ binaryMessage: encryptedBinary });
-  const decryptedBinary = await decrypt({ privateKeys, message: encryptedBinaryMessage, format: 'binary' });
+  const decryptedBinary = await decrypt({ decryptionKeys: privateKeys, message: encryptedBinaryMessage, format: 'binary' });
  const decryptedBinaryData: Uint8Array = decryptedBinary.data;
  expect(decryptedBinaryData).to.deep.equal(binary);
@ -59,26 +59,26 @@ import {
  // Sign cleartext message (armored)
  const cleartextMessage = await createCleartextMessage({ text: 'hello' });
-  const clearSignedArmor = await sign({ privateKeys, message: cleartextMessage });
+  const clearSignedArmor = await sign({ signingKeys: privateKeys, message: cleartextMessage });
  expect(clearSignedArmor).to.include('-----BEGIN PGP SIGNED MESSAGE-----');
  // Sign text message (armored)
-  const textSignedArmor: string = await sign({ privateKeys, message: textMessage });
+  const textSignedArmor: string = await sign({ signingKeys: privateKeys, message: textMessage });
  expect(textSignedArmor).to.include('-----BEGIN PGP MESSAGE-----');
  // Sign text message (unarmored)
-  const textSignedBinary: Uint8Array = await sign({ privateKeys, message: binaryMessage, armor: false });
+  const textSignedBinary: Uint8Array = await sign({ signingKeys: privateKeys, message: binaryMessage, armor: false });
  expect(textSignedBinary).to.be.instanceOf(Uint8Array);
  // Verify signed text message (armored)
  const signedMessage = await readMessage({ armoredMessage: textSignedArmor });
-  const verifiedText = await verify({ publicKeys, message: signedMessage });
+  const verifiedText = await verify({ verificationKeys: publicKeys, message: signedMessage });
  const verifiedTextData: string = verifiedText.data;
  expect(verifiedTextData).to.equal(text);
  // Verify signed binary message (unarmored)
  const message = await readMessage({ binaryMessage: textSignedBinary });
-  const verifiedBinary = await verify({ publicKeys, message, format: 'binary' });
+  const verifiedBinary = await verify({ verificationKeys: publicKeys, message, format: 'binary' });
  const verifiedBinaryData: Uint8Array = verifiedBinary.data;
  expect(verifiedBinaryData).to.deep.equal(binary);
--- a/test/worker/worker_example.js
+++ b/test/worker/worker_example.js
@ -51,8 +51,8 @@ onmessage = async function({ data: { action, message }, ports: [port] }) {
        });
        const data = await openpgp.encrypt({
          message: await openpgp.createMessage({ text: message }),
-          publicKeys: publicKey,
+          encryptionKeys: publicKey,
-          privateKeys: privateKey
+          signingKeys: privateKey
        });
        result = data;
        break;
@ -65,8 +65,8 @@ onmessage = async function({ data: { action, message }, ports: [port] }) {
        });
        const { data, signatures } = await openpgp.decrypt({
          message: await openpgp.readMessage({ armoredMessage: message }),
-          publicKeys: publicKey,
+          verificationKeys: publicKey,
-          privateKeys: privateKey
+          decryptionKeys: privateKey
        });
        if (!signatures[0].valid) {
          throw new Error("Couldn't veriy signature");