β

Sharing Secrets with GPG

8th Light Blog 20 阅读
posts/2018-10-23-sharing-secrets-with-gpg/sharing-secrets-GPG-social.jpg

As software developers we're often given access to various pieces of sensitive information in order to do our job. This could be anything from database passwords, API keys, TLS certificates, or even private SSH keys to our servers. Also, there's likely going to come a time when we need to share these secrets with our colleagues who don't have them. Maybe they're new to the team, or maybe they're working on a story that requires this information for the first time. Either way, this puts us in a pickle!

It's tempting to simply attach this information to an email or paste/upload it to Slack and assume that everything will be ok. But will it? How can we be sure? Is it worth risking our job, our company's reputation, or our users' privacy?

This blog is meant to be a simple introduction to gpg and a walkthrough of how to get set up, generate your own encryption keys, and send secrets over insecure forms of communication. It assumes a working knowledge of the command line and enough of an understanding of your operating system's package manager to install programs.

Public Key Cryptography

GPG uses a form of cryptography called public-key cryptography . Cryptography is a complex topic, but fortunately for us, a deep understanding of the math and theory behind it isn't necessary to grasp how it works at a high level.

In public key cryptography we generate two encryption keys. One of these keys is called our private key, which—as the name suggests—we want to keep a secret. The other is our public key, which we can publish for the world to see. These two separate keys let us do some interesting things. First, we can encrypt data using our private key, send it to someone, and using our public key they can decrypt the message and gain a reasonable level of assurance that it was actually us who authored the message. We call this process signing . Similar to signing a document using our written signature, we're signing the message using our cryptographic signature. Conversely, anyone in the world can encrypt some data with our public key, send it back to us, and have a reasonable level of assurance that only we can decode it. We refer to this is as encryption (even though they're both technically encryption).

Installing GPG

GPG can be installed using GPG Tools or from the package manager for your specific operating system. Here are some examples...

macOS

brew install gnupg

Ubuntu

sudo apt-get install gnupg

Generating Your Own Keypair

Although one doesn't technically need their own public and private keys to encrypt a message to someone else, it's a good idea to generate them. We'll need them if we want to receive encrypted messages at some point in the future, and we'll need our own private key for one small step later in the process. To generate a key, run the following command...

gpg --full-generate-key

This command will start the key generation process and prompt you with a few questions...

gpg (GnuPG) 2.2.8; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection?

The default selection of RSA and RSA is ok here.


RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

Type 4096 and press enter.

Please specify how long the key should be valid.
 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)

Let's pick a reasonable expiration time of 1 year by typing 1y and pressing enter.

Key expires at Sat Oct  5 20:35:44 2019 CDT
Is this correct? (y/N)

Type y , press enter, and then proceed to fill out the requested information...

GnuPG needs to construct a user ID to identify your key.

Real name: Aaron Lahey
Email address: alahey@8thlight.com
Comment:
You selected this USER-ID:
    "Aaron Lahey <alahey@8thlight.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

Type O and press enter. When presented with the password screen, type a password and press enter. This is the password you'll use to unlock your private key when you want to sign or decrypt anything.

Creating Our Secret

Before we begin encrypting files we first need something to encrypt. Let's create a text file with some fake sensitive data using the following command...

$ echo 'secretpassword' > password.txt

Once the file is created, let's make sure it's correct...

$ cat password.txt
secretpassword

Looks good! Let's imagine I want to send this file to my new teammate Ben. I might be tempted to attach it to an email or upload it to Slack, but remember, this file contains sensitive information—perhaps a production database password! We need a way to encode this file so that Ben is the only one who can decode and read it.

Importing a Public Key

To do that, we encrypt the file using Ben's public key. Since Ben possesses the corresponding private key and he's taken precautions to keep it safe, only he'll be able to decrypt it. Before we do that, let's make sure we have his public key on our computer...

$ gpg --list-keys --quiet
/Users/aaronlahey/.gnupg/pubring.gpg
------------------------------------
pub   rsa4096 2018-09-11 [SC] [expires: 2019-09-11]
      B204475FD47FBA3371E656AFF4496594665C6136
uid           [ultimate] Aaron Lahey <alahey@8thlight.com>
sub   rsa4096 2018-09-11 [E] [expires: 2019-09-11]

Uh oh! The only public key we have on our computer is our own! Since Ben is relatively new to gpg , maybe we can offer a few suggestions. First, let's figure out his key ID by executing the same list command as above on his computer...

$ gpg --list-keys --quiet
/Users/aaronlahey/.gnupg/pubring.gpg
------------------------------------
pub   rsa2048 2018-09-21 [SC] [expires: 2020-09-20]
12983429D55B17AFD25DC4B96D7E4D5256FE
uid           [ultimate] Ben Smith <bsmith@example.com>
sub   rsa2048 2018-09-21 [E] [expires: 2020-09-20]

This command prints a brief summary of each public key and actually includes more information than necessary. All Ben needs to worry about is the ID, which in this case is 765312983429D55B17AFD25DC4B96D7E4D5256FE . Once we have the ID we can export his public key...

$ gpg --export 765312983429D55B17AFD25DC4B96D7E4D5256FE
[���.=
V���۝!ƴ��R��0<��8���i]H�����Ʌ����<��U�P9���{�Y�h�H
                                                   �T�Œ�{���T1Ɂ3l/�p��B�l���Ȩ���!cвb·G��|�Ʊ������-�z��y�����Gw�õj
vÁ��i[���W�7z��$اD���#�bJ�K��LGֹB���r���b��xȆ�E��c�L
�/SHw�!Ben Smit <bsmith@example.com>�>!vS�4)�[��]Ĺm~MRV�[��L   �g


       �
    Ĺm~MRV����+�5
                     s4�ў�Sl�I���]�55cȥ�\xK�(�mJ*�bX;�)��
                                                         EQ&u��Bu�
B���d�L}t�K�*��a�$�S@���|4�<A�e���(��l�1lRj]��f�Id��f���b�ń�KF�;��E
                                                                    Sn���BC�13|���^�Q��AY��ݪaN@��y�
*>2x/$W��h�ᶪpP�&+I�&!vS�4)�[��]Ĺm~MRV�[��L�ȄhI@��g���� �D�H��.%�|��sR^��R���j6׽[���Ԁ��aAF��2�T��^�)�z��wE�WU�5��y�[`~�a�SCm�A{��q}x=�Zg#V��_�w�ޥ���yI�/�6}r�6�
    Ĺm~MRV��t�v���Z��{޷�>#��m�z�N�D��g��Ar�H;D���߷ɭr[�ϘX��ݭ�қL�d~�e�����;C�yd+��X��Scl��;�l�&?�D�K8#ߋ#��忘���W��VZ�c���_�/�



作者:8th Light Blog
原文地址:Sharing Secrets with GPG, 感谢原作者分享。