Safely sharing credentials with PGP
When working in teams, we are sometimes required to share some password / keys with our team. The most common way for me is probably through email or some chat client. But even though its convenience it's not actually a secure and a good practice. Especially if you are providing a service that deal with sensitive information.
Some simple approach would we communicating the password directly with a person through secure medium. One way to do it is both party ssh through a server and use talk client like write. But for some cases it's quite impractical.
Enter PGP. It's basically a software that do a Public-key cryptography. Public-key cryptography is basically encryption process which require 2 keys, one for encrypting and the other one for decrypting. Usually the public key is used for encrypting and private key is use for decrypting. I would not dive into the details about it since I've only have basic understanding about it. But for those people that is interested, you would read the nice article on wikipedia
There is a open source project called GPG (GNU Privacy Guard) and in this article I would like to show you how we could share some password / key file with it.
If you don't already have it on your system, you could installed it with:
After installing we would start by creating a pair of keys
$ gpg --gen-key
You will be asked with bunch of questions. Most of the answer you could leave it as a default but most important is fill in your email
address and also provide a Passphrase to protect your key with password. When it finish gathering information, it will start
creating a key pair by using system entropy. You can help the system to generate the entropy by clicking or moving your mouse randomly
or doing some random IO disk by triggering for example
After installing, you can see list of keys by using this command
In above output you could see that we have created public key with id of
70280895. Note this one because we are going to use it later
when submitting the key to a key server
To share your public key, so other people could send you encrypted message.
Note that further in this article I will discus ways to easily distribute your public key.
Encrypting and decrypting
With those generated keys, we could now do a personal encryption. That is if you want to encrypt a file and you are the only one who are able to decrypt it.
Those code will create a file name
message.txt.gpg which is encrypted message of
As you can see that we are successfully decrypted the message. This example you encrypt the message using your own public key. So this method only work if you want to archive or backup the file securely. In order to send someone else an encrypted message, you need to encrypt the message using the other person public key
Distributing the key
In order for any body to send you a encrypted message, you need to give your public key. Since public key only used for encryption, It's OK to publicly share your public key. But never share your private key. Once the other party have your public key they could start send you an encrypted message using the command above.
You could share your public key manually to some one (through usb / email etc) by exporting it first just like I mention before. But there are an easy way to distribute the key. There are some public GPG server that store your public key so that other people could easily find it and import it into their local machine. There are http://pgp.mit.edu and also ubuntu key server http://keyserver.ubuntu.com that we can use.
To send our key to MIT server we could do
the last number
70280895 was the key id of the public file. You could find it with the output of
gpg --list-keys command.
Now we have successfully send our public key any body could get your public key through that keyserver. You could test this
by searching a name or email or a person in the key server web interface. for example try searching my name on http://pgp.mit.edu/
Now to import other people public key, we could also do that in two way.
if the person give you a file which contain their public key (say
ahmy-pub.key). you could import it with
Or if the person already publish his public key to a keyserver, we can search it with
It will generate a list of keys that found on the keyserver. Enter the number of the keys and it will be imported to your local machine.
after importing you can send an encrypted message to the person for example
You could provide a name or an email address as a recipient.
THis command will encrypt the message using public key of a person name
At this point you are able to generate, export, distribute and import keys. More over you can already encrypt and decrypt file / message to a designated recipient. The the part two of this article I will share some idea how we could share some password / password key to other member of the team.
Site related post: