Published: 10/06/2015

PGP is a encryption tool I use to encrypt and decrypt files containing sensitive data.

We use GPG to decrypt PGP files as a part of our ETL process. GPG Wiki: http://en.wikipedia.org/wiki/GNU_Privacy_Guard

Requirements

GPG is required to be installed on any system that decrypts PGP files. There are many binaries available for download depending on your OS at: https://www.gnupg.org/download/.

To install on a Mac, we highly recommend using Homebrew.

brew doctor

brew update

brew install -v gpg

Windows users: http://www.gpg4win.org/

Importing existing keys

gpg –import *

This will import both keys

Creating keys

  1. From the command line run the following commands:

  2. ‘gpg –gen-key’

You will be taken through a series of prompts:

  1. ‘Please select what kind of key you want:’, enter the value 1 to select ‘RSA and RSA (default)’

  2. ‘RSA keys may be between 1024 and 4096 bits long. What keysize do you want?’: Press enter to go with the default, typically 2048 which is fine. Longer is more secure.

  3. ‘Please specify how long the key should be valid’:

options are:

0 = key does not expire

= key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years For exipres in 3 weeks use: 3w It will give you a date and ask you if this is correct, enter ‘y’ if it is, ‘n’ if it is not 4. ‘You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form:’ Since PGP is used to encrypt emails and not typically files, you need to enter a name, comment and email to sign this document with. For the ‘Real name:’ I’m going to use the project’s name ‘Private Exchange’ For the ‘Email address:’ I’m going to use my own, ‘adam.bourg@blah.com’ For comment, I’m leaving it blank Next prompt: “You selected this USER-ID: “Private Project <adam.bourg@blah.com>” Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?” Enter O to say okay. 5. ‘You need a Passphrase to protect your secret key. Enter passphrase:’ This is a password used to unlock the file with the private key. I’m going to use the phrase ‘purple\_flowers\_blue\_sky\_2015′ You’ll be asked to repeat the same phrase. You need to save this thing, random is better and long is better. If you lose the key or the phrase, you’re screwed, you can’t decrypt the file. 6. You should see out put similar to: We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. .+++++ ..+++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. .+++++ ………….+++++ gpg: key 55FB8C3D marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 4 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 4u gpg: next trustdb check due at 2015-03-02 pub 2048R/55FB8C3D 2015-02-27 [expires: 2015-03-02] Key fingerprint = 6F4A D6CF EE9B 7101 579E 33BE 3431 A309 55FB 8C3D uid Private Exchange <adam.bourg@blah.com> sub 2048R/EB4B2DDB 2015-02-27 [expires: 2015-03-02]’ 3. This will generate two keys that are saved to your pgp key chain. ## Encrypting a file Now that you have your keys, lets say you have a file called “major\_risk\_data.csv” and you want to encrypt that file. Using the command line: 1. cd into the directory where the file is stored 2. Encryption command explained: gpg –output {where\_you\_want\_it\_saved} –encrypt –recipient {what\_is\_the\_email\_of\_the\_user} {path\_to\_file\_to\_be_encrypted} {where\_you\_want\_it\_saved}: whats the path you want to save the file to {what\_is\_the\_email\_of\_the\_user}: the user you entered for the key, within the pgp config this is stored as the ’email’ field. {path\_to\_file\_to\_be_encrypted}: the path to the file to be encrypted 3. Example using repo keys: gpg –output ./major\_risk\_data.pgp –encrypt –recipient foo@bar.com ./major\_risk\_data.csv it may prompt you saying: gpg: AEFA524B: There is no assurance this key belongs to the named user pub 2048R/AEFA524B 2014-11-07 foo@bar.com Primary key fingerprint: 4D92 72E5 8CC8 E1EB CA11 544A 07B3 E105 AEFA 524B It is NOT certain that the key belongs to the person named in the user ID. If you \*really\* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) For testing purpose this is fine, just say yes (y). 4. Now you should see a pgp file named ‘phi.pgp’ in your current directory. ## Decrypting a file Files to be decrypted must have the extension “.pgp” at least for the ingest process, but really for the tool itself it can have any extension. Using the command line: 1. cd into the directory where the file is stored 2. Decryption command explained: gpg –output {where\_you\_want\_it\_saved} –decrypt {encrypted_file} {where\_you\_want\_it\_saved}: path to where you want the decrypted file to be saved {encrypted_file}: path to encrypted file 3. Example using repo keys: gpg –output ./phi_decrypted.csv –decrypt ./phi.pgp It will output something similar to: You need a passphrase to unlock the secret key for user: “foo@bar.com” 2048-bit RSA key, ID AEFA524B, created 2014-11-07 Enter passphrase: You’ll enter the passphrase from the config file or from the passphrase that you gave to the keys when you created them.