Published: 10/06/2015
PGP is a encryption tool I use to encrypt and decrypt files containing sensitive data.
We use GPG to decrypt PGP files as a part of our ETL process. GPG Wiki: http://en.wikipedia.org/wiki/GNU_Privacy_Guard
Requirements
GPG is required to be installed on any system that decrypts PGP files. There are many binaries available for download depending on your OS at: https://www.gnupg.org/download/.
To install on a Mac, we highly recommend using Homebrew.
brew doctor
brew update
brew install -v gpg
Windows users: http://www.gpg4win.org/
Importing existing keys
gpg –import *
This will import both keys
Creating keys
-
From the command line run the following commands:
-
‘gpg –gen-key’
You will be taken through a series of prompts:
-
‘Please select what kind of key you want:’, enter the value 1 to select ‘RSA and RSA (default)’
-
‘RSA keys may be between 1024 and 4096 bits long. What keysize do you want?’: Press enter to go with the default, typically 2048 which is fine. Longer is more secure.
-
‘Please specify how long the key should be valid’:
options are:
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
For exipres in 3 weeks use:
3w
It will give you a date and ask you if this is correct, enter ‘y’ if it is, ‘n’ if it is not
4. ‘You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form:’
Since PGP is used to encrypt emails and not typically files, you need to enter a name, comment and email to sign this document with.
For the ‘Real name:’ I’m going to use the project’s name ‘Private Exchange’
For the ‘Email address:’ I’m going to use my own, ‘adam.bourg@blah.com’
For comment, I’m leaving it blank
Next prompt:
“You selected this USER-ID: “Private Project <adam.bourg@blah.com>”
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?”
Enter O to say okay.
5. ‘You need a Passphrase to protect your secret key. Enter passphrase:’ This is a password used to unlock the file with the private key. I’m going to use the phrase ‘purple\_flowers\_blue\_sky\_2015′
You’ll be asked to repeat the same phrase. You need to save this thing, random is better and long is better. If you lose the key or the phrase, you’re screwed, you can’t decrypt the file.
6. You should see out put similar to:
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.+++++
..+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.+++++
………….+++++
gpg: key 55FB8C3D marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 4 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 4u
gpg: next trustdb check due at 2015-03-02
pub 2048R/55FB8C3D 2015-02-27 [expires: 2015-03-02]
Key fingerprint = 6F4A D6CF EE9B 7101 579E 33BE 3431 A309 55FB 8C3D
uid Private Exchange <adam.bourg@blah.com>
sub 2048R/EB4B2DDB 2015-02-27 [expires: 2015-03-02]’
3. This will generate two keys that are saved to your pgp key chain.
## Encrypting a file
Now that you have your keys, lets say you have a file called “major\_risk\_data.csv” and you want to encrypt that file.
Using the command line:
1. cd into the directory where the file is stored
2. Encryption command explained:
gpg –output {where\_you\_want\_it\_saved} –encrypt –recipient {what\_is\_the\_email\_of\_the\_user} {path\_to\_file\_to\_be_encrypted}
{where\_you\_want\_it\_saved}: whats the path you want to save the file to
{what\_is\_the\_email\_of\_the\_user}: the user you entered for the key, within the pgp config this is stored as the ’email’ field.
{path\_to\_file\_to\_be_encrypted}: the path to the file to be encrypted
3. Example using repo keys:
gpg –output ./major\_risk\_data.pgp –encrypt –recipient foo@bar.com ./major\_risk\_data.csv
it may prompt you saying:
gpg: AEFA524B: There is no assurance this key belongs to the named user
pub 2048R/AEFA524B 2014-11-07 foo@bar.com
Primary key fingerprint: 4D92 72E5 8CC8 E1EB CA11 544A 07B3 E105 AEFA 524B
It is NOT certain that the key belongs to the person named
in the user ID. If you \*really\* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N)
For testing purpose this is fine, just say yes (y).
4. Now you should see a pgp file named ‘phi.pgp’ in your current directory.
## Decrypting a file
Files to be decrypted must have the extension “.pgp” at least for the ingest process, but really for the tool itself it can have any extension.
Using the command line:
1. cd into the directory where the file is stored
2. Decryption command explained:
gpg –output {where\_you\_want\_it\_saved} –decrypt {encrypted_file}
{where\_you\_want\_it\_saved}: path to where you want the decrypted file to be saved
{encrypted_file}: path to encrypted file
3. Example using repo keys:
gpg –output ./phi_decrypted.csv –decrypt ./phi.pgp
It will output something similar to:
You need a passphrase to unlock the secret key for
user: “foo@bar.com”
2048-bit RSA key, ID AEFA524B, created 2014-11-07
Enter passphrase:
You’ll enter the passphrase from the config file or from the passphrase that you gave to the keys when you created them.