Skip to content

Instantly share code, notes, and snippets.

@rogeruiz

rogeruiz/using-gpg-instead-of-fugacious.md

Last active June 25, 2019 23:10
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save rogeruiz/f934d1dcdb7e68d1619903dc01b7ed77 to your computer and use it in GitHub Desktop.
Save rogeruiz/f934d1dcdb7e68d1619903dc01b7ed77 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
using-gpg-instead-of-fugacious.md

Using GPG to encrypt messages now that Fugacious is Toast

           _               _____ ______ _____   _                                           _
          (_)             |  __ \| ___ \  __ \ | |                                         | |
 _   _ ___ _ _ __   __ _  | |  \/| |_/ / |  \/ | |_ ___     ___ _ __   ___ _ __ _   _ _ __ | |_
| | | / __| | '_ \ / _` | | | __ |  __/| | __  | __/ _ \   / _ \ '_ \ / __| '__| | | | '_ \| __|
| |_| \__ \ | | | | (_| | | |_\ \| |   | |_\ \ | || (_) | |  __/ | | | (__| |  | |_| | |_) | |_
 \__,_|___/_|_| |_|\__, |  \____/\_|    \____/  \__\___/   \___|_| |_|\___|_|   \__, | .__/ \__|
                    __/ |                                                        __/ | |
                   |___/                                                        |___/|_|
                                                                       _   _           _
                                                                      | | | |         | |
 _ __ ___   ___  ___ ___  __ _  __ _  ___  ___   _ __   _____      __ | |_| |__   __ _| |_
| '_ ` _ \ / _ \/ __/ __|/ _` |/ _` |/ _ \/ __| | '_ \ / _ \ \ /\ / / | __| '_ \ / _` | __|
| | | | | |  __/\__ \__ \ (_| | (_| |  __/\__ \ | | | | (_) \ V  V /  | |_| | | | (_| | |_
|_| |_| |_|\___||___/___/\__,_|\__, |\___||___/ |_| |_|\___/ \_/\_/    \__|_| |_|\__,_|\__|
                                __/ |
                               |___/
______                      _                   _       _____               _
|  ___|                    (_)                 (_)     |_   _|             | |
| |_ _   _  __ _  __ _  ___ _  ___  _   _ ___   _ ___    | | ___   __ _ ___| |_
|  _| | | |/ _` |/ _` |/ __| |/ _ \| | | / __| | / __|   | |/ _ \ / _` / __| __|
| | | |_| | (_| | (_| | (__| | (_) | |_| \__ \ | \__ \   | | (_) | (_| \__ \ |_ _
\_|  \__,_|\__, |\__,_|\___|_|\___/ \__,_|___/ |_|___/   \_/\___/ \__,_|___/\__(_)
            __/ |
           |___/

Now that November 1st has come and gone, Fugacious / Toaster are gone as well. Without this system, GSA IT has requested that we share all sensitive information in other ways such as:

  • Using Google Docs, such as a spreadsheet or document.
  • Reading the message out loud over the phone.
  • Sharing screens with the person and having them read it off your screen and write it out on their machine.

None of these are great options compared to how easy it was to use Fugacious / Toaster to send self-destructing messages to folks via a web form. Some projects at 18F also relied on Fugacious such as the cloud.gov team for the first iteration of passing deployer account credentials.

What's GPG, PGP, ETC?

 _ _ _ _       _      _        _____ _____ _____
| | | | |_ ___| |_   |_|___   |   __|  _  |   __|
| | | |   | .'|  _|  | |_ -|  |  |  |   __|  |  |_
|_____|_|_|__,|_|    |_|___|  |_____|__|  |_____| |
                                                |_|
                                          _____
 _____ _____ _____      _____ _____ _____|___  |
|  _  |   __|  _  |    |   __|_   _|     | |  _|
|   __|  |  |   __|_   |   __| | | |   --| |_|
|__|  |_____|__|  | |  |_____| |_| |_____| |_|
                  |_|

GPG stands for GNU Privacy Guard which is an open-source software suite that is OpenPGP compliant. OpenPGP is the open standard built out of the Pretty Good Privacy (PGP) encryption program.

With PGP you create a set of keys. A private key which you keep safe somehow. And a public key which you share with others in a responsible way. You can create as many of these keys as you'd like. Each one with a different identity which may be helpful when sending data infrequently.

Installing GPG on your machine

 __   __   __   ______   ______  ______   __       __       __   __   __   ______       ______   ______  ______
/\ \ /\ "-.\ \ /\  ___\ /\__  _\/\  __ \ /\ \     /\ \     /\ \ /\ "-.\ \ /\  ___\     /\  ___\ /\  == \/\  ___\
\ \ \\ \ \-.  \\ \___  \\/_/\ \/\ \  __ \\ \ \____\ \ \____\ \ \\ \ \-.  \\ \ \__ \    \ \ \__ \\ \  _-/\ \ \__ \
 \ \_\\ \_\\"\_\\/\_____\  \ \_\ \ \_\ \_\\ \_____\\ \_____\\ \_\\ \_\\"\_\\ \_____\    \ \_____\\ \_\   \ \_____\
 ______\/___\/___\/_______  ___/ ______/_/__/_____/________/ \/___\/_/__/_/________/______/_____/__/_/__  \_______   ______
/\  __ \ /\ "-.\ \     /\ \_\ \ /\  __ \ /\ \/\ \ /\  == \     /\ "-./  \ /\  __ \ /\  ___\ /\ \_\ \ /\ \ /\ "-.\ \ /\  ___\
\ \ \/\ \\ \ \-.  \    \ \____ \\ \ \/\ \\ \ \_\ \\ \  __<     \ \ \-./\ \\ \  __ \\ \ \____\ \  __ \\ \ \\ \ \-.  \\ \  __\
 \ \_____\\ \_\\"\_\    \/\_____\\ \_____\\ \_____\\ \_\ \_\    \ \_\ \ \_\\ \_\ \_\\ \_____\\ \_\ \_\\ \_\\ \_\\"\_\\ \_____\
  \/_____/ \/_/ \/_/     \/_____/ \/_____/ \/_____/ \/_/ /_/     \/_/  \/_/ \/_/\/_/ \/_____/ \/_/\/_/ \/_/ \/_/ \/_/ \/_____/

brew install gpg

After that runs, you will have the GNU Privacy Guard application suite installed. Try running the following command to read through your options.

gpg --help | less

Generating a new key pair

  ________                                   __  .__
 /  _____/  ____   ____   ________________ _/  |_|__| ____    ____
/   \  ____/ __ \ /    \_/ __ \_  __ \__  \\   __\  |/    \  / ___\
\    \_\  \  ___/|   |  \  ___/|  | \// __ \|  | |  |   |  \/ /_/  >
 \______  /\___  >___|  /\___  >__|  (____  /__| |__|___|  /\___  /
        \/     \/     \/     \/           \/             \//_____/
                                 __                               .__
_____      ____   ______  _  __ |  | __ ____ ___.__. ___________  |__|______
\__  \    /    \_/ __ \ \/ \/ / |  |/ // __ <   |  | \____ \__  \ |  \_  __ \
 / __ \_ |   |  \  ___/\     /  |    <\  ___/\___  | |  |_> > __ \|  ||  | \/
(____  / |___|  /\___  >\/\_/   |__|_ \\___  > ____| |   __(____  /__||__|
     \/       \/     \/              \/    \/\/      |__|       \/

     --gen-key              generate a new key pair

Running gpg --gen-key will walk you through the prompts for creating a key pair.

Encrypting a message using GPG

   ____                       __  _
  / __/__  __________ _____  / /_(_)__  ___ _
 / _// _ \/ __/ __/ // / _ \/ __/ / _ \/ _ `/
/___/_//_/\__/_/  \_, / .__/\__/_/_//_/\_, /
 ___ _  __ _  ___/___/_/_ ___ ____ ___/___/
/ _ `/ /  ' \/ -_|_-<(_-</ _ `/ _ `/ -_)
\_,_/ /_/_/_/\__/___/___/\_,_/\_, /\__/
           _             ____/___/ _____
 __ _____ (_)__  ___ _  / ___/ _ \/ ___/
/ // (_-</ / _ \/ _ `/ / (_ / ___/ (_ /
\_,_/___/_/_//_/\_, /  \___/_/   \___/
               /___/

 -e, --encrypt              encrypt data

Using the -e flag we can encrypt a message using our newly created PGP key.

gpg --armor --encrypt --recipient roger@rogeruiz.com --output encrypted.txt.lock decrypted.txt

Encrypting a message using GPG with symmetric keys

Decrypting a message using GPG

   ___                        __  _
  / _ \___ __________ _____  / /_(_)__  ___ _
 / // / -_) __/ __/ // / _ \/ __/ / _ \/ _ `/
/____/\__/\__/_/  \_, / .__/\__/_/_//_/\_, /
 ___ _  __ _  ___/___/_/_ ___ ____ ___/___/
/ _ `/ /  ' \/ -_|_-<(_-</ _ `/ _ `/ -_)
\_,_/ /_/_/_/\__/___/___/\_,_/\_, /\__/
           _             ____/___/ _____
 __ _____ (_)__  ___ _  / ___/ _ \/ ___/
/ // (_-</ / _ \/ _ `/ / (_ / ___/ (_ /
\_,_/___/_/_//_/\_, /  \___/_/   \___/
               /___/

 -d, --decrypt              decrypt data (default)

Using the -d flag we can decrypt a message using our newly created PGP key from our previous encrypted file.

gpg --decrypt --output decrypted2.txt encrypted.txt.lock

Exporting your public key

Passing the fingerprint along for the public key

Importing a public key

Signing a public key given to you

Deleting the key pair after use

Caveats

While you can set expiration dates on keys, You cannot on messages. This means that folks with your old private key can still decrypt those encrypted messages for as long as they have your old keys lying around. This is why it's important generate single-use keys if you'd like to recreate the ephemeral nature of Fugacious.

Another caveat is how long-term PGP keys are a real hassle with not very little benefit. Read more about it here.

Sharing messages with others

So far we've only been doing this locally on our machine. That's not super useful for replacing Fugacious. But we can leverage what we know about public and private keys and the previous commands to come up with interesting solutions. For this section, let's discuss and do some live coding to figure out how to best to tackle this problem.

Let's begin by sharing our public key with folks and then encrypt and decrypt messages we share with one another.

Here's some useful documentation for this exercise:

@rogeruiz
Copy link
Author

rogeruiz commented Feb 5, 2018

Oh these are awesome comments @commit-dkp! Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment