Why GPG

We use GPG to encrypt our secrets (passwords, backups ec). GPG allows us to encrypt data for a recipient by using their public key. A GPG solution conists out of a private and public key, NEVER DISCLOSE/GIVE AWAY YOUR PRIVATE key. You can share your PUBLIC key freely.

https://gnupg.org/faq/gnupg-faq.html#whats_gnupg

Generating your GPG key

Check here how to generate your GPG key

https://help.github.com/articles/generating-a-new-gpg-key/

Uploading your GPG key to the keyserver

First list your keys, and then pick your fingerprint and upload it to the mit edu key server.

how-we-work (master) ∆ gpg --list-keys
/Users/emilebosch/.gnupg/pubring.gpg
------------------------------------
pub   rsa2048 2017-01-08 [SC] [expires: 2018-01-08]
      38BC7A67156617E04F47E6912D62BCF27C07F5F3
uid           [ultimate] Emile Bosch (Sup yo, beers n keys) <[email protected]>
sub   rsa2048 2017-01-08 [E] [expires: 2018-01-08]

pub   rsa4096 2015-11-26 [SC]
      FEF6637E9E91A7A5C4149A68D7E9BD71DD1C57D4
uid           [ unknown] Mathijs Baaijens <[email protected]>
sub   rsa4096 2015-11-26 [E]

pub   rsa2048 2017-09-26 [SC] [expires: 2019-09-26]
      178F252BE532FE912DA596F017C489BAE7957BC7
uid           [ unknown] groenewege <[email protected]>
sub   rsa2048 2017-09-26 [E] [expires: 2019-09-26]

In this case 38BC7A67156617E04F47E6912D62BCF27C07F5F3 is my fingerprint. We work with fingerprints only. Check out your own fingerprint.

Then upload your public key to:

gpg --send-keys --keyserver hkp://pgp.mit.edu  38BC7A67156617E04F47E6912D62BCF27C07F5F3

After you have been generating your key

Getting your teammates public GPG from the keyserver

You can retrieve the GPG public keys from our keyserver by fetching the keys fingerprints.

Emile’s public key

gpg --recv-keys --keyserver hkp://pgp.mit.edu 38BC7A67156617E04F47E6912D62BCF27C07F5F3

Mathijs’s public key

gpg --recv-keys --keyserver hkp://pgp.mit.edu FEF6637E9E91A7A5C4149A68D7E9BD71DD1C57D4

Rory’s public key

gpg --recv-keys --keyserver hkp://pgp.mit.edu 178F252BE532FE912DA596F017C489BAE7957BC7

Encrypting notes for a team mate

You can encrypt it via the fingerprint of the user see, --list-keys to see the fingerprints.

gpg --encrypt --armor --recipient FEF6637E9E91A7A5C4149A68D7E9BD71DD1C57D4

It wil start showing an empty screen, you can type there press CTRL+D to get the encrypted story. Like this.

how-we-work (master) ∆ gpg --encrypt --armor --recipient FEF6637E9E91A7A5C4149A68D7E9BD71DD1C57D4
gpg: 5EF4A5079F05243A: There is no assurance this key belongs to the named user
sub  rsa4096/5EF4A5079F05243A 2015-11-26 Mathijs Baaijens <[email protected]>
 Primary key fingerprint: FEF6 637E 9E91 A7A5 C414  9A68 D7E9 BD71 DD1C 57D4
      Subkey fingerprint: 956D 829D 450D 306A 2F83  E0F3 5EF4 A507 9F05 243A

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y
Hello world
-----BEGIN PGP MESSAGE-----

hQIMA170pQefBSQ6ARAAhAEnJ7viM7orwgTY42Rbypf0oHbye1Z/TlV0J32JIwNG
ATPbx3KoFwWd/WQsLugB8etOYOzxkZzAQcjZOJmySmXj79unzV4UIuglFP1Qbdam
YMptR/7izIRLI4KLKlH00aEay+L6jss2w3zNbifzJlBseUTIzhTFDCMWPaPcD3Km
WMIECNTezQTrEhTr+f6+MW0iT3Tv/0L3tbu3uO6VZYRm1rsN2z+0FdCHagAHfq8m
VDCIVdFALI8cfLqNc2vyoTbcIX6lFgM0RbGdfePtMgWZUf7H7vAEimRiYg+XzHJF
T2fts6NUBwnsb685e+jckQv89sT/iiF56/mNSXjXTmGqVbj3rHUD9V/JVjDH8caV
ThLm5sthhbIY4qWUCQzRukvpzX4f8g7aKSji9JEr2WiVb+vrRUfTykxiA2TavRIK
NT++1SMcp+Lt7fYLjan/Tm+8s0itFa6KOW4YvfVdv/4O3g08ocS7S4ScasBy0Qwe
voc8EpIrgFb384IVbYPlMpGb/5GO6PF7TWncaS1UYRijvp/enH//uvYLwFCjafK/
+9OXVV8TbJcQ2z5PeKSHD/Pg+NRmONakda8ayqEpNBcxW/vsZV5yz/ZwbfBHY2ee
6SrEX+0pPyo494lbnxDt7PXLO6Q/1hqBVHyau82mKfwaptUmHM/2nRyfSYsmybTS
RwE369NIAMkVAn+Cj+8yxwbhQoG+eamvF0XNogTy6cztnUoIPk63dbFg+F5pQ1fh
4fuUTDLJQfV5RmdE6Pvdgj/VHm9hmuTr
=ky1O
-----END PGP MESSAGE-----

You can then copy send the the data over an insecure channel like slack.

Decrypting notes from a teammate

When you copy the data from an insecure channel you want to decrypt the data.

You start the decrypt and past the message in the code:

how-we-work (master) ∆ gpg --decrypt --armor
-----BEGIN PGP MESSAGE-----

hQEMAzV4dnhFYjdAAQgA32+Knbqr36nJEFNY0BFpixv1HS1V5JTJgIEHJQu8bvsm
ORXiLX0B2DJGlq80eBkVg8kyU5+F5+XoMtDle/K41ezYtFFKJUETCdR0isnvcFbp
56GFW8ONhO13kJsVW4XSqMd4PmEU5iWEswzFTldCvjGaJvb54XD2VVZumsqozWAf
2cpHUXiKo50enkyZ/1PxVrVg2vIUcmST71hCu5TJUCO4e51dJHjSa6MVq3PwWSiN
Lu2gunBwtSD1MOi8bFoBmtyrKRCz2HFDDzqwv+nB6L/nvlHBG/nKHtiKO10QjUZS
kqFrwo634XsAEQ8b0YOJRSR4KJTXo/kmi3aAV3HoE9JGAe+dXCnKMUdSD6EFt7WQ
CAKcqh5fQi5isTrC7/zpwlMftyfXA8tgIc1m6CW6be/qk/3zXukKoP6uCSPNtvwB
JFT1vxid1w==
=YCRm
gpg: encrypted with 2048-bit RSA key, ID 3578767845623740, created 2017-01-08
      "Emile Bosch (Sup yo, beers n keys) <[email protected]>"
Hello wold

Encrypting files

To encrypt files or backups use the encrypt without --armor

 gpg --encrypt --recipient 38BC7A67156617E04F47E6912D62BCF27C07F5F3 backup.tar

This will then create a backup.tar.gpg which you can distribute

Decrypting files

Then go decrypt some files via the folllowing text

gpg --output backup.tar --decrypt backup.tar.gpg

Great!