Chronicles of two keys : GnuPG for the application developers

COEP FOSSMeet, 2018

 

CC-BY-SA 3.0

Introduction

Who am I?

#RightToPrivacy

“Arguing that you don't care about the right to privacy because you have nothing to hide is no different from saying you don't care about free speech because you have nothing to say." -Edward Snowden.

Encryption

PGP

Pretty Good Privacy

https://gnupg.org/

The tale of two keys

  • Private key

  • Public key

Creating a key

$ gpg --gen-key

$ ls keydir/

openpgp-revocs.d  private-keys-v1.d  pubring.gpg  pubring.gpg~  trustdb.gpg

gnupg Python module

( Author: Isis Agora Lovecruft)

$ pip install gnupg

import gnupg

gpg = gnupg.GPG(homedir='keydir', binary='gpg')
input_data = { 'name_real': 'Anwesha Das',
    'name_email': 'anwesha@das.community',
    'expire_date': '2018-01-01',
    'key_type': 'RSA',
    'key_length': 4096,
    'key_usage': '',
    'subkey_type': 'RSA',
    'subkey_length': 4096,
    'subkey_usage': 'encrypt,sign,auth',
    'passphrase': 'sekrit'}

anwesha_input = gpg.gen_key_input(**input_data)
anwesha_key = gpg.gen_key(anwesha_input)

Encrypting the information

$ gpg -e -a filename

import gnupg

gpg = gnupg.GPG(homedir='keydir')
data = gpg.encrypt("This is the private message",
                   "945159F9CB21D17FDA34365D6FBE8CD504E770DF", armor=True)
print(str(data))
-----BEGIN PGP MESSAGE-----

hQIMA7kXakfjLhlcAQ//XT5TkVxq0DAYA5ezaD6DY9h0tIQIiHgcDHwmWzb7N6Aj
UKbpEukttWPnnBEdaSZOiQMyhQx0U8hyxrnxGireh688Hp48u+mpFjQVjUePRT0v
mPVgOiW3LdjxWiV57ksQJzXfNgamuxTebafqsHcfDxwXH1Vn3HjSVdUsON/+aQDH
8VHciGU72SV9z0KBfDYuzPBuVi6gk+orLjteVhltM6w+azY/mWObQXnUwMPlogkz
fxh8wfspMO8rUX1C6BLM07XTrlXlcCQjYZ/n+AsMazV3Pjq3nV02FTObFqIePkAC
6vCT39P19o9QsbJlGGVUzT305o0DfD0QR4OL5/ClNy6HBdNogCndSDB0Jbik5Cyp
Fv1RE6hJu3+91Oi93u/aHZ1dKODTgMdEJvyZLbKZLXXGROnF2ZZ5sWuwZ0jPoihs
OS51yQEGjdJBVys7yqh9VvDd+grTGzGuLf6q3MNp+8ZNoen/yHbx6yzomp5QJdGe
hKyyuHZtAp/m7Z8ygl6VjawNdN+yTZibkyybk0/yJd6UfU3euhF/bORqHGGyalp3
NFOSpytk3lzKpChspFBj4C7EmaFbS7ztSaSZsga/Czh3u1zL5VfQgej3vLW97BAm
CHnIMgj+BA63XLKEhFJnIOYNeDGzMIWtINEEfO/3SPCn9wDVoaVPd5FcU/k+WYTS
VQFNFoB9eAYddR6WoSRsfLcNXpTdSTFCiAfge1NV8EbfDRuYhDnxHv+BN9DCDsYG
dh7Cc8MX+JO8zCEQHM30i24+rINbsaoT5hDKlxKvLIWn6uVk4w4=
=I9h6
-----END PGP MESSAGE-----

Decrypt the information

$ gpg -d filename.asc

import gnupg

gpg = gnupg.GPG(homedir='keydir')

msg = """-----BEGIN PGP MESSAGE-----

hQIMA7kXakfjLhlcAQ//XT5TkVxq0DAYA5ezaD6DY9h0tIQIiHgcDHwmWzb7N6Aj
UKbpEukttWPnnBEdaSZOiQMyhQx0U8hyxrnxGireh688Hp48u+mpFjQVjUePRT0v
mPVgOiW3LdjxWiV57ksQJzXfNgamuxTebafqsHcfDxwXH1Vn3HjSVdUsON/+aQDH
8VHciGU72SV9z0KBfDYuzPBuVi6gk+orLjteVhltM6w+azY/mWObQXnUwMPlogkz
fxh8wfspMO8rUX1C6BLM07XTrlXlcCQjYZ/n+AsMazV3Pjq3nV02FTObFqIePkAC
6vCT39P19o9QsbJlGGVUzT305o0DfD0QR4OL5/ClNy6HBdNogCndSDB0Jbik5Cyp
Fv1RE6hJu3+91Oi93u/aHZ1dKODTgMdEJvyZLbKZLXXGROnF2ZZ5sWuwZ0jPoihs
OS51yQEGjdJBVys7yqh9VvDd+grTGzGuLf6q3MNp+8ZNoen/yHbx6yzomp5QJdGe
hKyyuHZtAp/m7Z8ygl6VjawNdN+yTZibkyybk0/yJd6UfU3euhF/bORqHGGyalp3
NFOSpytk3lzKpChspFBj4C7EmaFbS7ztSaSZsga/Czh3u1zL5VfQgej3vLW97BAm
CHnIMgj+BA63XLKEhFJnIOYNeDGzMIWtINEEfO/3SPCn9wDVoaVPd5FcU/k+WYTS
VQFNFoB9eAYddR6WoSRsfLcNXpTdSTFCiAfge1NV8EbfDRuYhDnxHv+BN9DCDsYG
dh7Cc8MX+JO8zCEQHM30i24+rINbsaoT5hDKlxKvLIWn6uVk4w4=
=I9h6
-----END PGP MESSAGE-----
"""

decrypted = gpg.decrypt(msg, passphrase="sekrit")
print(str(decrypted))

Sign a file

import gnupg

fingerprint = "945159F9CB21D17FDA34365D6FBE8CD504E770DF"
gpg = gnupg.GPG(homedir='keydir')
with open("hello.txt", "r") as fobj:
    signed = gpg.sign(fobj,
                default_key=fingerprint,
                passphrase="sekrit")

with open("hello.txt.asc", "w") as fobj:
    fobj.write(signed.data)

$ gpg --clearsign filename.txt

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This is Hello message.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJZtXbUAAoJELkXakfjLhlcOU0P/i3CielLamyKRF5lQOf87CRb
p22G78TcfHfradqLuzAoAgc8rIaKnV6O12J4UQH7+jX7+4UzrU5nweqHLt/maOHs
X+aN9In1VXWfRMwx6eBLAG4FVY8Oph2L7KyuHOXBLefy5Lm1qFqvXJnvzs9q4UQ4
1qlgiZd809sn0pLPLa+/5WdpdtPDKYCmWwrQsoppoROMMIQa/XVbf0hwmICYY5Fh
4hDmxErSeZ9Z4XN3Uo7TTINSgFTu3nBgSr8GwTmAfRjt8BsAKc/9x2Q++/yJgedZ
2Zo6ngI9C/4CgzDpp9FjJsuajOalpFLOcHCoKIkIz2ARK5FC7kdrXrySMhIu84w+
cd4itkTEMRNI3WUGlKiLmg49rZYucwLgMERF9oOzRbNtIin8hOAF3E29UnamqtG+
uK76UdIff7vygbjUG1PZqOHeG3uyYiWuqCkoUdTGGmzBph8W4MSRL+TpRdTAOqPw
L/jeJ7TNL9OBSVb1RO7iqAxAr4mkDt9ysJwbr1tSlxvndLQGAULQ1+OBtPBoXYkr
zWVi8wNmAbxVR22hh9xh9pOLkDuW9aXA2ie+b8SSu+IgRUqfIXpbR7lQQNL/DEPW
/FLh70gsIsaBfHajpDpGDGrBiuXmol9W4rV5yjbfskQAnZRu0w+dUV06dWm5M19L
ko4hWxOhKN+tqOw5z+lt
=Z4n4
-----END PGP SIGNATURE-----

Verify

$ gpg --verify filename.txt.asc

import gnupg

gpg = gnupg.GPG(homedir='keydir')
with open("hello.txt.asc", "r") as fobj:
    status = gpg.verify_file(fobj)


print(status.valid)

A few points to remember

  • If possible encrypt on memory
  • Only save the encrypted file on disk
  • Do not keep the Private key in the same web-app server
  • Use a very strong passphrase

Stay safe

stay secure

and see you online

Thank you

@anweshasrkr

GnuPG for developers

By dascommunity

GnuPG for developers

  • 1,031