A while back I was given the task of setting up encryption for sending files around. Ooh. Sounds tricky, I thought. I’ve seen PGP signatures on privacy freaks’ e-mail for years now, but it all seemed a bit like black magic. I had no idea how it worked.
I went looking, and it turns out it’s not really particularly difficult to figure out or get working. But I had to wade through a few hefty (in web terms) manuals to find all the info I needed. I never really found a web page which detailed the basics in an easy to digest format. This could be that page.
PGP and GPG
PGP is Pretty Good Privacy, invented by Phil Zimmerman and now run by the PGP Corporation. It’s the defacto standard for this kind of stuff. It’s fairly secure, and has the added benefit of compressing text quite well. PGP sell a number of solutions, but if you’re wondering about freebies, then…
GPG is Gnu Privacy Guard, which is the free implementation of (most of) PGP. It lives here: www.gnupg.org.
How to use it
Encryption of this type is all about keys. If you haven’t grasped the key concept before, here it is in brief: a recipient has a public and a private key. The public key is given to anybody. Senders encrypt stuff using the public key. Only the recipient has the private key, and uses this to decrypt stuff. Obviously if communication is two-way, you need multiple public and private keys. Okay? Easy.
GnuPG.org has the software for just about every platform under the sun, but I had to run it on Windows, so that’s what I’m talking about here. Others may vary a tad.
You don’t need to install it as such, just chuck the files in your chosen directory. You’ll get the executables, files used for the key database, and some documentation text files. It assumes it’s installed in c:gnupg. In general, the
--homedir "d:whatever" argument needs to be used to tell GPG that it’s living elsewhere.
To list the keys in a key database:
To create a key:
It’ll ask you a bunch of questions. If in doubt, just take the default. If intending to use in batch files, use a blank pass-phrase when asked.
To avoid later warnings about non-signed keys, it is worth signing the key. This is especially important for batch files:
gpg --lsign-key "key name"
To export a public key:
gpg -a --export "key name"
The â€“a is to make it ASCII, eg displayable. The output can be redirected to a file.
To import a public key from an external system:
gpg --import [filename]
To encrypt a file:
gpg --encrypt -r"Recipient key" < SourceFile > DestFile
To decrypt a file:
gpg --decrypt SourceFile > DestFile
gpg --decrypt-files SourceFiles
That’s about it for the basics. By default encrypted files have a .gpg extension.
It works fine in batch files. Running it from other code is a bit more tricky. I’m not sure why, but I couldn’t get it to run directly as a shell command from VB — ended up getting VB to generate a temporary batch file, which it then shelled to. A little clunky, but it works. (A COM DLL wrapper I found on the interweb used the same method).
Clunkiness aside, it’s fast, reliable, pretty secure and not too hard to use once you figure it out.
Why do you say to use a blank pass-phrase when generating a key for use in batch files?
As far as I can tell, if you don’t use a blank pass-phrase, GPG will sit there waiting for a human to enter it when the command runs, making it unsuitable for batch files.
Years on, and I’m still pointing my newer sysadmins at your site to start their GPG curve. Good Show!