Working with GPG
Making sure we deal with secrets properly.
Why GPG
We use GPG to encrypt our secrets (passwords, backups ec). GPG allows us to encrypt data for a recipient by using their public key. A GPG solution consists out of a private and public key.
Never disclose your private key.
https://gnupg.org/faq/gnupg-faq.html#whats_gnupg
Generating your GPG key
Check here how to generate your GPG key
https://help.github.com/articles/generating-a-new-gpg-key/
Uploading your GPG key to the key server
First list your keys, and then pick your fingerprint and upload it to the MIT edu key server.
how-we-work (master) ∆ gpg --list-keys
/Users/emilebosch/.gnupg/pubring.gpg
------------------------------------
pub rsa2048 2017-01-08 [SC] [expires: 2018-01-08]
38BC7A67156617E04F47E6912D62BCF27C07F5F3
uid [ultimate] Emile Bosch (Sup yo, beers n keys) <[email protected]>
sub rsa2048 2017-01-08 [E] [expires: 2018-01-08]
pub rsa4096 2015-11-26 [SC]
FEF6637E9E91A7A5C4149A68D7E9BD71DD1C57D4
uid [ unknown] Mathijs Baaijens <[email protected]>
sub rsa4096 2015-11-26 [E]
pub rsa2048 2017-09-26 [SC] [expires: 2019-09-26]
178F252BE532FE912DA596F017C489BAE7957BC7
uid [ unknown] groenewege <[email protected]>
sub rsa2048 2017-09-26 [E] [expires: 2019-09-26]
In this case 38BC7A67156617E04F47E6912D62BCF27C07F5F3 is my fingerprint. We work with fingerprints only. Check out your own fingerprint.
Then upload your public key to:
gpg --send-keys --keyserver hkp://pgp.mit.edu 38BC7A67156617E04F47E6912D62BCF27C07F5F3
After you have been generating your key.
Getting your teammates public GPG from the key server
You can retrieve the GPG public keys from our key server by fetching the keys fingerprints.
Emile’s public key
gpg --recv-keys --keyserver hkp://pgp.mit.edu 38BC7A67156617E04F47E6912D62BCF27C07F5F3
Mathijs’s public key
gpg --recv-keys --keyserver hkp://pgp.mit.edu FEF6637E9E91A7A5C4149A68D7E9BD71DD1C57D4
Rory’s public key
gpg --recv-keys --keyserver hkp://pgp.mit.edu 178F252BE532FE912DA596F017C489BAE7957BC7
Encrypting notes for a team mate
You can encrypt it via the fingerprint of the user see, --list-keys to see the fingerprints.
gpg --encrypt --armor --recipient FEF6637E9E91A7A5C4149A68D7E9BD71DD1C57D4
It will start showing an empty screen, you can type there press CTRL+D to get the encrypted story. Like this.
how-we-work (master) ∆ gpg --encrypt --armor --recipient FEF6637E9E91A7A5C4149A68D7E9BD71DD1C57D4
gpg: 5EF4A5079F05243A: There is no assurance this key belongs to the named user
sub rsa4096/5EF4A5079F05243A 2015-11-26 Mathijs Baaijens <[email protected]>
Primary key fingerprint: FEF6 637E 9E91 A7A5 C414 9A68 D7E9 BD71 DD1C 57D4
Subkey fingerprint: 956D 829D 450D 306A 2F83 E0F3 5EF4 A507 9F05 243A
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
Hello world
-----BEGIN PGP MESSAGE-----
hQIMA170pQefBSQ6ARAAhAEnJ7viM7orwgTY42Rbypf0oHbye1Z/TlV0J32JIwNG
ATPbx3KoFwWd/WQsLugB8etOYOzxkZzAQcjZOJmySmXj79unzV4UIuglFP1Qbdam
YMptR/7izIRLI4KLKlH00aEay+L6jss2w3zNbifzJlBseUTIzhTFDCMWPaPcD3Km
WMIECNTezQTrEhTr+f6+MW0iT3Tv/0L3tbu3uO6VZYRm1rsN2z+0FdCHagAHfq8m
VDCIVdFALI8cfLqNc2vyoTbcIX6lFgM0RbGdfePtMgWZUf7H7vAEimRiYg+XzHJF
T2fts6NUBwnsb685e+jckQv89sT/iiF56/mNSXjXTmGqVbj3rHUD9V/JVjDH8caV
ThLm5sthhbIY4qWUCQzRukvpzX4f8g7aKSji9JEr2WiVb+vrRUfTykxiA2TavRIK
NT++1SMcp+Lt7fYLjan/Tm+8s0itFa6KOW4YvfVdv/4O3g08ocS7S4ScasBy0Qwe
voc8EpIrgFb384IVbYPlMpGb/5GO6PF7TWncaS1UYRijvp/enH//uvYLwFCjafK/
+9OXVV8TbJcQ2z5PeKSHD/Pg+NRmONakda8ayqEpNBcxW/vsZV5yz/ZwbfBHY2ee
6SrEX+0pPyo494lbnxDt7PXLO6Q/1hqBVHyau82mKfwaptUmHM/2nRyfSYsmybTS
RwE369NIAMkVAn+Cj+8yxwbhQoG+eamvF0XNogTy6cztnUoIPk63dbFg+F5pQ1fh
4fuUTDLJQfV5RmdE6Pvdgj/VHm9hmuTr
=ky1O
-----END PGP MESSAGE-----
You can then copy send the the data over an insecure channel like slack.
Decrypting notes from a teammate
When you copy the data from an insecure channel you want to decrypt the data.
You start the decrypt and past the message in the code:
how-we-work (master) ∆ gpg --decrypt --armor
-----BEGIN PGP MESSAGE-----
hQEMAzV4dnhFYjdAAQgA32+Knbqr36nJEFNY0BFpixv1HS1V5JTJgIEHJQu8bvsm
ORXiLX0B2DJGlq80eBkVg8kyU5+F5+XoMtDle/K41ezYtFFKJUETCdR0isnvcFbp
56GFW8ONhO13kJsVW4XSqMd4PmEU5iWEswzFTldCvjGaJvb54XD2VVZumsqozWAf
2cpHUXiKo50enkyZ/1PxVrVg2vIUcmST71hCu5TJUCO4e51dJHjSa6MVq3PwWSiN
Lu2gunBwtSD1MOi8bFoBmtyrKRCz2HFDDzqwv+nB6L/nvlHBG/nKHtiKO10QjUZS
kqFrwo634XsAEQ8b0YOJRSR4KJTXo/kmi3aAV3HoE9JGAe+dXCnKMUdSD6EFt7WQ
CAKcqh5fQi5isTrC7/zpwlMftyfXA8tgIc1m6CW6be/qk/3zXukKoP6uCSPNtvwB
JFT1vxid1w==
=YCRm
gpg: encrypted with 2048-bit RSA key, ID 3578767845623740, created 2017-01-08
"Emile Bosch (Sup yo, beers n keys) <[email protected]>"
Hello wold
Encrypting files
To encrypt files or backups use the encrypt without --armor
gpg --encrypt --recipient 38BC7A67156617E04F47E6912D62BCF27C07F5F3 backup.tar
This will then create a backup.tar.gpg which you can distribute
Decrypting files
Then go decrypt some files via the following text
gpg --output backup.tar --decrypt backup.tar.gpg
Great!