gpg-team
is a very simplistic gpg wrapper that aids in encrypting and re-encrypting files based on a recipients list (recipients.txt).
The purpose of this script is to have a simple, gpg-based solution that can be used in small teams to handle sensitive information (like database connections or other credentials) for encrypting new files and (quickly) reencrypt already encrypted files in case the recipients change (e.g. new team member, permission changed)
Installation:
just clone the repo and use the make
utility:
git clone https://github.com/dariusjonda/gpg-team.git
cd gpg-team
make clean install
gpg-team
should now be installed in ~/.local/bin/gpg-team
cd gpg-team
to get into repo directory.- create
recipients.txt
file in the main project directory containing the recipients that are being used for encryption. Each recipient needs to be on it's own line.
This should be used on a file that is plain text and not encrypted yet.
gpg-team -e recipients.txt file
Note: after successful encryption you will be asked whether to keep the plaintext file or not. Please make sure to delete plaintext files containing credentials in order to prevent exploits.
This should be used on an already encrypted *.gpg file in case you want to reencrypt it using an updated recipients list.
gpg-team -r recipients.txt file.gpg
This should be used in case all the gpg files in the present directory should be reencrypted.
gpg-team -a recipients.txt
Note: Only do this if you are sure that every file needs to be reencrypted!
-
Creating a new GPG keypair:
the following command will create a new secret key based on the default parameters used by gpg (RSA2048 and expiry in two years).
To have more control about the options usegpg --full-generate-key
gpg --generate-key
for identification purposes you need to enter your name and email address. Please use your real name / email address to make it easier to identify you for encrypting data.
-
Check your GPG secret key:
check if your key has been successfully created by typing:gpg --list-secret-keys
-
Export your public key:
in order for others to encrypt data for you, they will need your public key.
The public key can be exported using the following command. We use the--armor
flag to have it in an ASCII-armored format (unencoded) to be able to also copy & paste the contents in case we need to:gpg --export --armor your-email-address > ~/my-name_public-key.asc
-
Import the public key from another person:
For you intend to encrypt files for other people, you need to have their public key in your keychain (checkgpg --list-keys
).
You can import public keys using the following command:gpg --import name-of-public-key.asc
-
Encrypt a file for someone else:
To encrypt a file for someone else from your keychain (a person you have the public key imported already) you can use the--encrypt
(short-e
) and--recipient
(short-r
) flags:gpg --encrypt --recipient email-or-name-of-recipient file-to-encrypt
You can also skip the recipient flag which will prompt you after entering the command.
-
Decrypt a file:
If the file has been properly encrypted using your public key, you should now be able to decrypt it's content using your private key. To do so, just use the--decrypt
(short-d
) flag:gpg --decrypt file-to-decrypt.gpg
This will output the content in the terminal. If you want to store it in a file, just write it to another file:
gpg --decrypt file-to-decrypt.gpg > decrypted-filename.txt
-
Check for existing GPG secret keys on server #1:
Check for existing secret keys first and look for email address of GPG key you want to export.
In case you are not sure if there are GPG private keys already installed repeat that process on Server #2 as well.gpg --list-secret-keys
-
Export GPG secret key from server #1:
export your secret key by referring to it's email address. Instead ofsecret_key.gpg
you can use any filename you wantgpg --export-secret-keys your-email-address > ~/secret_key.gpg
-
Transfer GPG secret key:
in order to import this secret key on another server, we have to move it there. Either use SCP (if you can SSH into the other server) or use a network drive as a temporary location to store your secret key (note to delete the secret key after you're done!) In this example we move the file to/nfs/shared_drive/
(you can use that directory as well)mv ~/secret_key.gpg /nfs/shared_drive/
the
secret_key.gpg
should now be stored under/nfs/shared_drive/
. Either confirm that with thels
command or user your explorer. -
Import GPG secret key on server #2:
open the terminal somewhere on server #2 and import the secret_key that you have (temporarily) exportedgpg --import /nfs/shared_drive/secret_key.gpg
doing so will prompt pinentry to enter your GPG password. If the password was entered correctly, you will get the notification that the import was successfull and you should be able to view the secret key in your gpg keychain typing:
gpg --list-secret-keys
if you can see the gpg secret key in your keychain, proceed further. Otherwise go back and repeat the previous steps.
DO NOT FORGET TO DELETE YOUR SECRET_KEY THAT YOU STORED ON THE NETWORK DRIVE if you haven't done so already:
rm /nfs/shared_drive/secret_key.gpg
-
Trust your GPG key:
Before using the newly imported GPG Key, trust it first:gpg --edit-key your-email-address
this will open a GPG prompt. Type
trust
->5
->y
->save
to trust it ultimately and save your changes. If done correctly this should close the GPG prompt.