Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Instructions on how to encrypt your documents and share them with collaborators

Getting started with encryption of documents

What is the problem

If you work with sensitive (human) data (e.g. anything that contains an identifier of an individual), you occasionally want to share that data. The most straightforward way to do so is to send them by email (and yes - we are all guilty of that!). The problem arises, if the data get into wrong hands. Let's say you send the email accidentally to the wrong person. Or worse, without your knowledge, the email gets into the wrong hands.

The good news is, that there is a secure & handy solution for this. But let's first have a look at some other solutions.

What about dropbox and other file hosting systems?

One (common) option is, to dump the data onto a file hosting site (like dropbox) and allow only certain users to access the files. This is considered unsafe, mostly due to multiple security incidents. You are essentially relying on a company's capacity to take care of your privacy ¯\_(ツ)_/¯.

And SwitchDrive? Collaborators of Swiss universities have access to this service to store and share data. Data transfer is protected by SSL. Files can be either made public or shared with other Switch users. In both cases files can be password protected and have a download expiration date assigned. If the files are shared with another Switch user, this is probably a safe option, but making it public + password protected and then sending the link and a password to an external collaborator, is not safe (see 👆 what can happen to emails).

So if dropbox & co are not a safe option to share sensitive data, despite safer options, why are they then still heavily used?

I believe that one reason lies in the whole packaging. Dropbox is easy to install, to use and offers another benefit too (storage). Encryption on the other hand - although easy to install and use - is considered nerdy and thus not easy to use. But it totally is, which is what I want to show with this post.

The easy way

If this (the hard way 👇) is too complicated, then go for either

  • ProtonMail which has encryption by default (hat tip by Jean-Pierre Ghobril). It is probably the easiest & safest solution, but requires you and the recipient to create an account and send and receive your emails from there.
  • keybase.io

The hard way: Asymmetric encryption via GPG & terminal

Let's get back to the solid solution: encryption of documents. For this we need PGP keys. PGP keys are used to encrypt the documents before sending them by email (or sharing them via a server).

What is encryption? Here is a < 5 min video explaining asymmetric encryption. It starts by explaining symmetric encryption and goes on to compare asymmetric encryption to a mailbox on the street.

Asymmetric encryption is actually very easy to do, independent of platforms. There are a handful of options for encryption, but here we will use GPG. All you need to do is:

  1. Create yourself a pair of keys: a private key 🔑 and a public key 🔐 (this is nice to have, but is not really needed if you are the person sending the document)
  2. Tell the recipient of the document to do the same: create a private key 🔑 and a public key 🔐
  3. Exchange the public keys: 🔐 ↔️ 🔐
  4. Encrypt the file with the public key of the recipient : 🔐 + 📄
  5. Share the encrypted file however you want (email, file hosting, ...): 📧
  6. The recipient will then decrypt the file with the private key: + 🔑📄

Below are detailed instructions on how to encrypt a document. It is most convenient to use a terminal for this.

Instructions

Provide the recipient of the document with instructions

To simplify life for the recipient, you can send these instructions.

Install GPG

MacOSX: brew install -v gpg

Linux: sudo apt-get install gnupg2

Windows: Best is, if you install git bash. This will give you git, but also gpg. (If you are not familiar with a terminal, there is www.gpg4win.org.)

Create a private 🔑 and a public key 🔐

The person receiving the document needs to have a set of keys. Strictly speaking, you, the sender of the document, do not really need to generate a set of keys, but for the sake of illustration, we do it nevertheless.

Generate a set of keys:

gpg --gen-key

Here you will give your name, family name and your email address.

Exchange the public keys: 🔐 ↔️ 🔐

There is an option to use a server for this. But we will stick to the terminal.

Export your public key

gpg --export -a "Your Name" > your.key

Send your public key your.key to the recipient.

The recipient can now import the your public key:

gpg --import your.key

Ask the recipient to do the same and send you the public key, which you then need to import.

Now you know each others public keys that you can use using the name "My Name" or "Recipient Name", or via the email address that is also attached to the public key.

Encrypt the file with the recipient's public key: 🔐 + 📄

Let's first generate a toy document:

echo "This is confidential data" > data.txt

Now we are ready to encrypt the file. These three are all leading to an identical results:

gpg --encrypt --recipient "Recipient Name" data.txt

gpg -e -r "Recipient Name" data.txt

gpg --encrypt --recipient recipient@email.com data.txt

Now send or upload the encrypted file data.txt.gpg.

Recipient: Decrypt the file with the private key: 📄 + 🔑

The recipient can now decrypt the document using the follwing command.

gpg -o data.txt -d data.txt.gpg

shasum

And while we are at it, let's get into the habit of using sha256sum.

Applying sha256sum to a file, will return some sort of unique identifier/summary of that file (called hash), and sending this identifier file along with the original file will help checking if the file has been fully transferred (e.g. download via a server).

Here is a mini example that you can try in a terminal:

echo "This is your data" > myfile.txt  ## this creates a text file
shasum -a 256 myfile.txt > hash.txt    ## this creates a string we store along with the text file
shasum -c hash.txt                     ## this is the command somebody would use that has downloaded or received the text file. Should return OK

Instructions to receive encrypted documents

You are about to receive encrypted documents from a collaborator and a couple of actions are needed from your side to make this happen.

Why is encryption needed?

Transferring sensitive data by e-mail or file hosting services can be risky, as the content could be accessed by an unwanted third party.

Encryption of a document ensures that the content can only be read by the recipient of the document. To everyone else, the document will look like gibberish.

You find a more detailed explanation on why encryption is needed here.

The easy way

If this (the hard way 👇) is too complicated, then go for either

  • ProtonMail which has encryption by default (hat tip by Jean-Pierre Ghobril). It is probably the easiest & safest solution, but requires you and the sender to create an account and send and receive your emails from there.
  • keybase.io

The hard way: encryption via GPG & terminal

With the instructions below, you will install GPG and generate a set of keys: a private key 🔑 and a public key 🔐 using GPG.

What your collaborator needs from you, is the public key 🔐. The public key will enable your collaborator to encrypt the document: 🔐 + 📄.

With the private key, you will be able to decrypt the encrypted document that the collaborator sends you: 🔑 + 📄.

Operating system

The instructions of GPG depend on whether you use Linux, macOS or Windows.

Linux

1. Install GPG

sudo apt-get install gnupg2

2. Generate a set of keys

The following command will generate a set of private key 🔑 and a public key 🔐

gpg --gen-key

Here you will give your name, family name and your email address.

3. Exchange the public keys: 🔐 ↔️ 🔐

There is an option to use a server for this. But let's stick to the terminal.

Export your public key

gpg --export -a "Your Name" > your.key

Send your public key your.key to the collaborator.

4. Decrypt the file with the private key: 📄 + 🔑

Once you receive the encrypted document (by email or a file hosting service) you can decrypt the file with the private key: 🔐 + 📄. The file will have a .gpg extension added to the standard file name. For example, data.txt.gpg, if the original file is data.txt.

gpg -o data.txt -d data.txt.gpg

macOS

1. Install GPG

2. Generate a set of keys

The following command will generate a set of private key 🔑 and a public key 🔐

gpg --gen-key

Here you will give your name, family name and your email address.

3. Exchange the public keys: 🔐 ↔️ 🔐

There is an option to use a server for this. But let's stick to the terminal.

Export your public key

gpg --export -a "Your Name" > your.key

Send your public key your.key to the collaborator.

4. Decrypt the file with the private key: 📄 + 🔑

Once you receive the encrypted document (by email or a file hosting service) you can decrypt the file with the private key: 🔐 + 📄. The file will have a .gpg extension added to the standard file name. For example, data.txt.gpg, if the original file is data.txt.

gpg -o data.txt -d data.txt.gpg

Windows

1. Install GPG

Best is, if you install git bash. This will give you git, but also gpg.

If you are not familiar with a terminal, there is www.gpg4win.org with a proper user interface.

2. Generate a set of keys

The following command will generate a set of private key 🔑 and a public key 🔐

gpg --gen-key

Here you will give your name, family name and your email address.

3. Exchange the public keys: 🔐 ↔️ 🔐

There is an option to use a server for this. But let's stick to the terminal.

Export your public key

gpg --export -a "Your Name" > your.key

Send your public key your.key to the collaborator.

4. Decrypt the file with the private key: 📄 + 🔑

Once you receive the encrypted document (by email or a file hosting service) you can decrypt the file with the private key: 🔐 + 📄. The file will have a .gpg extension added to the standard file name. For example, data.txt.gpg, if the original file is data.txt.

gpg -o data.txt -d data.txt.gpg

Would you like to send encrypted files too?

Great!

Follow these instructions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment