using-gpg-instead-of-fugacious.md

Using GPG to encrypt messages now that Fugacious is Toast

           _               _____ ______ _____   _                                           _
          (_)             |  __ \| ___ \  __ \ | |                                         | |
 _   _ ___ _ _ __   __ _  | |  \/| |_/ / |  \/ | |_ ___     ___ _ __   ___ _ __ _   _ _ __ | |_
| | | / __| | '_ \ / _` | | | __ |  __/| | __  | __/ _ \   / _ \ '_ \ / __| '__| | | | '_ \| __|
| |_| \__ \ | | | | (_| | | |_\ \| |   | |_\ \ | || (_) | |  __/ | | | (__| |  | |_| | |_) | |_
 \__,_|___/_|_| |_|\__, |  \____/\_|    \____/  \__\___/   \___|_| |_|\___|_|   \__, | .__/ \__|
                    __/ |                                                        __/ | |
                   |___/                                                        |___/|_|
                                                                       _   _           _
                                                                      | | | |         | |
 _ __ ___   ___  ___ ___  __ _  __ _  ___  ___   _ __   _____      __ | |_| |__   __ _| |_
| '_ ` _ \ / _ \/ __/ __|/ _` |/ _` |/ _ \/ __| | '_ \ / _ \ \ /\ / / | __| '_ \ / _` | __|
| | | | | |  __/\__ \__ \ (_| | (_| |  __/\__ \ | | | | (_) \ V  V /  | |_| | | | (_| | |_
|_| |_| |_|\___||___/___/\__,_|\__, |\___||___/ |_| |_|\___/ \_/\_/    \__|_| |_|\__,_|\__|
                                __/ |
                               |___/
______                      _                   _       _____               _
|  ___|                    (_)                 (_)     |_   _|             | |
| |_ _   _  __ _  __ _  ___ _  ___  _   _ ___   _ ___    | | ___   __ _ ___| |_
|  _| | | |/ _` |/ _` |/ __| |/ _ \| | | / __| | / __|   | |/ _ \ / _` / __| __|
| | | |_| | (_| | (_| | (__| | (_) | |_| \__ \ | \__ \   | | (_) | (_| \__ \ |_ _
\_|  \__,_|\__, |\__,_|\___|_|\___/ \__,_|___/ |_|___/   \_/\___/ \__,_|___/\__(_)
            __/ |
           |___/

Now that November 1st has come and gone, Fugacious / Toaster are gone as well. Without this system, GSA IT has requested that we share all sensitive information in other ways such as:

• Using Google Docs, such as a spreadsheet or document.
• Reading the message out loud over the phone.
• Sharing screens with the person and having them read it off your screen and write it out on their machine.

None of these are great options compared to how easy it was to use Fugacious / Toaster to send self-destructing messages to folks via a web form. Some projects at 18F also relied on Fugacious such as the cloud.gov team for the first iteration of passing deployer account credentials.

What's GPG, PGP, ETC?

 _ _ _ _       _      _        _____ _____ _____
| | | | |_ ___| |_   |_|___   |   __|  _  |   __|
| | | |   | .'|  _|  | |_ -|  |  |  |   __|  |  |_
|_____|_|_|__,|_|    |_|___|  |_____|__|  |_____| |
                                                |_|
                                          _____
 _____ _____ _____      _____ _____ _____|___  |
|  _  |   __|  _  |    |   __|_   _|     | |  _|
|   __|  |  |   __|_   |   __| | | |   --| |_|
|__|  |_____|__|  | |  |_____| |_| |_____| |_|
                  |_|

GPG stands for GNU Privacy Guard which is an open-source software suite that is OpenPGP compliant. OpenPGP is the open standard built out of the Pretty Good Privacy (PGP) encryption program.

With PGP you create a set of keys. A private key which you keep safe somehow. And a public key which you share with others in a responsible way. You can create as many of these keys as you'd like. Each one with a different identity which may be helpful when sending data infrequently.

Installing GPG on your machine

 __   __   __   ______   ______  ______   __       __       __   __   __   ______       ______   ______  ______
/\ \ /\ "-.\ \ /\  ___\ /\__  _\/\  __ \ /\ \     /\ \     /\ \ /\ "-.\ \ /\  ___\     /\  ___\ /\  == \/\  ___\
\ \ \\ \ \-.  \\ \___  \\/_/\ \/\ \  __ \\ \ \____\ \ \____\ \ \\ \ \-.  \\ \ \__ \    \ \ \__ \\ \  _-/\ \ \__ \
 \ \_\\ \_\\"\_\\/\_____\  \ \_\ \ \_\ \_\\ \_____\\ \_____\\ \_\\ \_\\"\_\\ \_____\    \ \_____\\ \_\   \ \_____\
 ______\/___\/___\/_______  ___/ ______/_/__/_____/________/ \/___\/_/__/_/________/______/_____/__/_/__  \_______   ______
/\  __ \ /\ "-.\ \     /\ \_\ \ /\  __ \ /\ \/\ \ /\  == \     /\ "-./  \ /\  __ \ /\  ___\ /\ \_\ \ /\ \ /\ "-.\ \ /\  ___\
\ \ \/\ \\ \ \-.  \    \ \____ \\ \ \/\ \\ \ \_\ \\ \  __<     \ \ \-./\ \\ \  __ \\ \ \____\ \  __ \\ \ \\ \ \-.  \\ \  __\
 \ \_____\\ \_\\"\_\    \/\_____\\ \_____\\ \_____\\ \_\ \_\    \ \_\ \ \_\\ \_\ \_\\ \_____\\ \_\ \_\\ \_\\ \_\\"\_\\ \_____\
  \/_____/ \/_/ \/_/     \/_____/ \/_____/ \/_____/ \/_/ /_/     \/_/  \/_/ \/_/\/_/ \/_____/ \/_/\/_/ \/_/ \/_/ \/_/ \/_____/

brew install gpg

After that runs, you will have the GNU Privacy Guard application suite installed. Try running the following command to read through your options.

gpg --help | less

Generating a new key pair

  ________                                   __  .__
 /  _____/  ____   ____   ________________ _/  |_|__| ____    ____
/   \  ____/ __ \ /    \_/ __ \_  __ \__  \\   __\  |/    \  / ___\
\    \_\  \  ___/|   |  \  ___/|  | \// __ \|  | |  |   |  \/ /_/  >
 \______  /\___  >___|  /\___  >__|  (____  /__| |__|___|  /\___  /
        \/     \/     \/     \/           \/             \//_____/
                                 __                               .__
_____      ____   ______  _  __ |  | __ ____ ___.__. ___________  |__|______
\__  \    /    \_/ __ \ \/ \/ / |  |/ // __ <   |  | \____ \__  \ |  \_  __ \
 / __ \_ |   |  \  ___/\     /  |    <\  ___/\___  | |  |_> > __ \|  ||  | \/
(____  / |___|  /\___  >\/\_/   |__|_ \\___  > ____| |   __(____  /__||__|
     \/       \/     \/              \/    \/\/      |__|       \/

     --gen-key              generate a new key pair

Running gpg --gen-key will walk you through the prompts for creating a key pair.

Encrypting a message using GPG

   ____                       __  _
  / __/__  __________ _____  / /_(_)__  ___ _
 / _// _ \/ __/ __/ // / _ \/ __/ / _ \/ _ `/
/___/_//_/\__/_/  \_, / .__/\__/_/_//_/\_, /
 ___ _  __ _  ___/___/_/_ ___ ____ ___/___/
/ _ `/ /  ' \/ -_|_-<(_-</ _ `/ _ `/ -_)
\_,_/ /_/_/_/\__/___/___/\_,_/\_, /\__/
           _             ____/___/ _____
 __ _____ (_)__  ___ _  / ___/ _ \/ ___/
/ // (_-</ / _ \/ _ `/ / (_ / ___/ (_ /
\_,_/___/_/_//_/\_, /  \___/_/   \___/
               /___/

 -e, --encrypt              encrypt data

Using the -e flag we can encrypt a message using our newly created PGP key.

gpg --armor --encrypt --recipient roger@rogeruiz.com --output encrypted.txt.lock decrypted.txt

Encrypting a message using GPG with symmetric keys

Decrypting a message using GPG

   ___                        __  _
  / _ \___ __________ _____  / /_(_)__  ___ _
 / // / -_) __/ __/ // / _ \/ __/ / _ \/ _ `/
/____/\__/\__/_/  \_, / .__/\__/_/_//_/\_, /
 ___ _  __ _  ___/___/_/_ ___ ____ ___/___/
/ _ `/ /  ' \/ -_|_-<(_-</ _ `/ _ `/ -_)
\_,_/ /_/_/_/\__/___/___/\_,_/\_, /\__/
           _             ____/___/ _____
 __ _____ (_)__  ___ _  / ___/ _ \/ ___/
/ // (_-</ / _ \/ _ `/ / (_ / ___/ (_ /
\_,_/___/_/_//_/\_, /  \___/_/   \___/
               /___/

 -d, --decrypt              decrypt data (default)

Using the -d flag we can decrypt a message using our newly created PGP key from our previous encrypted file.

gpg --decrypt --output decrypted2.txt encrypted.txt.lock

Exporting your public key

Passing the fingerprint along for the public key

Importing a public key

Signing a public key given to you

Deleting the key pair after use

Caveats

While you can set expiration dates on keys, You cannot on messages. This means that folks with your old private key can still decrypt those encrypted messages for as long as they have your old keys lying around. This is why it's important generate single-use keys if you'd like to recreate the ephemeral nature of Fugacious.

Another caveat is how long-term PGP keys are a real hassle with not very little benefit. Read more about it here.

Sharing messages with others

So far we've only been doing this locally on our machine. That's not super useful for replacing Fugacious. But we can leverage what we know about public and private keys and the previous commands to come up with interesting solutions. For this section, let's discuss and do some live coding to figure out how to best to tackle this problem.

Let's begin by sharing our public key with folks and then encrypt and decrypt messages we share with one another.

Here's some useful documentation for this exercise:

• https://www.gnupg.org/gph/en/manual/x56.html
• https://www.gnupg.org/gph/en/manual/x110.html

These slides still need to be fleshed out a bit, but the talk was a success to get fellow engineers working on how to support their post-Fugacious world. And I'm thinking it might be good to share this at an All-Hands as an alternative to using Google Docs for sharing sensitive information. Some cohorts brought up some great points about how both PGP is hard to work with for non-technical folks and how GPG tools have a GUI that makes it easier to use. Though, I'm not sure if we can use the latter. For now GPG can be installed via Homebrew so we're good on installing that. Will need to research things a bit more.

The biggest hurdle here may be FIPS 140-2. Libgcrypt, the crypto library that GPG uses, does have a FIPS 140-2 mode ( https://www.gnupg.org/documentation/manuals/gcrypt/Enabling-FIPS-mode.html ), but the only versions approved so far are the ones shipped in Red Hat and SuSE ( https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Validated-Modules/Search ).

"None of these are great options compared to how easy it was to use Fugacious / Toaster to send self-destructing messages to folks via a web form." - Worth noting that GPG itself doesn't implement self-destructing messages. Depending on the security requirements, it may be sufficient to not specify the '--output' flag so that the plaintext is only written to the console, but not if the console activity is logged elsewhere.

"A private key which you keep safe somehow." - We'll need to specify how to keep a private key safe.

"And a public key which you share with others in a responsible way." - We'll need to specify what "responsible" means.

"Each one with a different identity" - We'll need to clarify what "identity" means here.

"Running gpg --gen-key will walk you through the prompts for creating a key pair." - We'll need to specify how to answer the prompts.

"Using the -e flag we can encrypt a message using our newly created PGP key." - We'll need to specify how to edit gpg.conf so that only the best cipher options are used. Also, so that public keyservers aren't used to resolved unknown recipients. Also, how to import a key. Also, how to verify trust in an imported key.

"This is why it's important generate single-use keys if you'd like to recreate the ephemeral nature of Fugacious." - Single-use keys don't recreate the ephemeral nature of Fugacious; as long as the ciphertext remains somewhere, there is a non-zero risk of it being deciphered. It may be an acceptable risk, but not identical to Fugacious' behaviour.

"Another caveat is how long-term PGP keys are a real hassle with not very little benefit." - We should take a position here, whether to follow #1 or #2 in https://gist.github.com/grugq/03167bed45e774551155#key-loss-is-catastrophic .

Stepping back a bit, https://gist.github.com/grugq/03167bed45e774551155 is already pretty great, but notes that "If you are not familiar with PGP, please read another guide first. If you are comfortable using PGP to encrypt and decrypt emails, this guide will raise your security to the next level." So I would recommend that we try not to be both guides, but the one that gets our folks who need PGP comfortable using it, and then point them at Operational PGP.

Oh these are awesome comments @commit-dkp! Thanks!