Chronicles of two keys : GnuPG for the application developers
COEP FOSSMeet, 2018
CC-BY-SA 3.0
Introduction
Who am I?
#RightToPrivacy
“Arguing that you don't care about the right to privacy because you have nothing to hide is no different from saying you don't care about free speech because you have nothing to say." -Edward Snowden.
Encryption
PGP
Pretty Good Privacy
https://gnupg.org/
The tale of two keys
-
Private key
-
Public key
Creating a key
$ gpg --gen-key
$ ls keydir/ openpgp-revocs.d private-keys-v1.d pubring.gpg pubring.gpg~ trustdb.gpg
gnupg Python module
( Author: Isis Agora
$ pip install gnupg
import gnupg
gpg = gnupg.GPG(homedir='keydir', binary='gpg')
input_data = { 'name_real': 'Anwesha Das',
'name_email': 'anwesha@das.community',
'expire_date': '2018-01-01',
'key_type': 'RSA',
'key_length': 4096,
'key_usage': '',
'subkey_type': 'RSA',
'subkey_length': 4096,
'subkey_usage': 'encrypt,sign,auth',
'passphrase': 'sekrit'}
anwesha_input = gpg.gen_key_input(**input_data)
anwesha_key = gpg.gen_key(anwesha_input)
Encrypting the information
$ gpg -e -a filename
import gnupg
gpg = gnupg.GPG(homedir='keydir')
data = gpg.encrypt("This is the private message",
"945159F9CB21D17FDA34365D6FBE8CD504E770DF", armor=True)
print(str(data))
-----BEGIN PGP MESSAGE-----
hQIMA7kXakfjLhlcAQ//XT5TkVxq0DAYA5ezaD6DY9h0tIQIiHgcDHwmWzb7N6Aj
UKbpEukttWPnnBEdaSZOiQMyhQx0U8hyxrnxGireh688Hp48u+mpFjQVjUePRT0v
mPVgOiW3LdjxWiV57ksQJzXfNgamuxTebafqsHcfDxwXH1Vn3HjSVdUsON/+aQDH
8VHciGU72SV9z0KBfDYuzPBuVi6gk+orLjteVhltM6w+azY/mWObQXnUwMPlogkz
fxh8wfspMO8rUX1C6BLM07XTrlXlcCQjYZ/n+AsMazV3Pjq3nV02FTObFqIePkAC
6vCT39P19o9QsbJlGGVUzT305o0DfD0QR4OL5/ClNy6HBdNogCndSDB0Jbik5Cyp
Fv1RE6hJu3+91Oi93u/aHZ1dKODTgMdEJvyZLbKZLXXGROnF2ZZ5sWuwZ0jPoihs
OS51yQEGjdJBVys7yqh9VvDd+grTGzGuLf6q3MNp+8ZNoen/yHbx6yzomp5QJdGe
hKyyuHZtAp/m7Z8ygl6VjawNdN+yTZibkyybk0/yJd6UfU3euhF/bORqHGGyalp3
NFOSpytk3lzKpChspFBj4C7EmaFbS7ztSaSZsga/Czh3u1zL5VfQgej3vLW97BAm
CHnIMgj+BA63XLKEhFJnIOYNeDGzMIWtINEEfO/3SPCn9wDVoaVPd5FcU/k+WYTS
VQFNFoB9eAYddR6WoSRsfLcNXpTdSTFCiAfge1NV8EbfDRuYhDnxHv+BN9DCDsYG
dh7Cc8MX+JO8zCEQHM30i24+rINbsaoT5hDKlxKvLIWn6uVk4w4=
=I9h6
-----END PGP MESSAGE-----
Decrypt the information
$ gpg -d filename.asc
import gnupg
gpg = gnupg.GPG(homedir='keydir')
msg = """-----BEGIN PGP MESSAGE-----
hQIMA7kXakfjLhlcAQ//XT5TkVxq0DAYA5ezaD6DY9h0tIQIiHgcDHwmWzb7N6Aj
UKbpEukttWPnnBEdaSZOiQMyhQx0U8hyxrnxGireh688Hp48u+mpFjQVjUePRT0v
mPVgOiW3LdjxWiV57ksQJzXfNgamuxTebafqsHcfDxwXH1Vn3HjSVdUsON/+aQDH
8VHciGU72SV9z0KBfDYuzPBuVi6gk+orLjteVhltM6w+azY/mWObQXnUwMPlogkz
fxh8wfspMO8rUX1C6BLM07XTrlXlcCQjYZ/n+AsMazV3Pjq3nV02FTObFqIePkAC
6vCT39P19o9QsbJlGGVUzT305o0DfD0QR4OL5/ClNy6HBdNogCndSDB0Jbik5Cyp
Fv1RE6hJu3+91Oi93u/aHZ1dKODTgMdEJvyZLbKZLXXGROnF2ZZ5sWuwZ0jPoihs
OS51yQEGjdJBVys7yqh9VvDd+grTGzGuLf6q3MNp+8ZNoen/yHbx6yzomp5QJdGe
hKyyuHZtAp/m7Z8ygl6VjawNdN+yTZibkyybk0/yJd6UfU3euhF/bORqHGGyalp3
NFOSpytk3lzKpChspFBj4C7EmaFbS7ztSaSZsga/Czh3u1zL5VfQgej3vLW97BAm
CHnIMgj+BA63XLKEhFJnIOYNeDGzMIWtINEEfO/3SPCn9wDVoaVPd5FcU/k+WYTS
VQFNFoB9eAYddR6WoSRsfLcNXpTdSTFCiAfge1NV8EbfDRuYhDnxHv+BN9DCDsYG
dh7Cc8MX+JO8zCEQHM30i24+rINbsaoT5hDKlxKvLIWn6uVk4w4=
=I9h6
-----END PGP MESSAGE-----
"""
decrypted = gpg.decrypt(msg, passphrase="sekrit")
print(str(decrypted))
Sign a file
import gnupg
fingerprint = "945159F9CB21D17FDA34365D6FBE8CD504E770DF"
gpg = gnupg.GPG(homedir='keydir')
with open("hello.txt", "r") as fobj:
signed = gpg.sign(fobj,
default_key=fingerprint,
passphrase="sekrit")
with open("hello.txt.asc", "w") as fobj:
fobj.write(signed.data)
$ gpg --clearsign filename.txt
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
This is Hello message.
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJZtXbUAAoJELkXakfjLhlcOU0P/i3CielLamyKRF5lQOf87CRb
p22G78TcfHfradqLuzAoAgc8rIaKnV6O12J4UQH7+jX7+4UzrU5nweqHLt/maOHs
X+aN9In1VXWfRMwx6eBLAG4FVY8Oph2L7KyuHOXBLefy5Lm1qFqvXJnvzs9q4UQ4
1qlgiZd809sn0pLPLa+/5WdpdtPDKYCmWwrQsoppoROMMIQa/XVbf0hwmICYY5Fh
4hDmxErSeZ9Z4XN3Uo7TTINSgFTu3nBgSr8GwTmAfRjt8BsAKc/9x2Q++/yJgedZ
2Zo6ngI9C/4CgzDpp9FjJsuajOalpFLOcHCoKIkIz2ARK5FC7kdrXrySMhIu84w+
cd4itkTEMRNI3WUGlKiLmg49rZYucwLgMERF9oOzRbNtIin8hOAF3E29UnamqtG+
uK76UdIff7vygbjUG1PZqOHeG3uyYiWuqCkoUdTGGmzBph8W4MSRL+TpRdTAOqPw
L/jeJ7TNL9OBSVb1RO7iqAxAr4mkDt9ysJwbr1tSlxvndLQGAULQ1+OBtPBoXYkr
zWVi8wNmAbxVR22hh9xh9pOLkDuW9aXA2ie+b8SSu+IgRUqfIXpbR7lQQNL/DEPW
/FLh70gsIsaBfHajpDpGDGrBiuXmol9W4rV5yjbfskQAnZRu0w+dUV06dWm5M19L
ko4hWxOhKN+tqOw5z+lt
=Z4n4
-----END PGP SIGNATURE-----
Verify
$ gpg --verify filename.txt.asc
import gnupg
gpg = gnupg.GPG(homedir='keydir')
with open("hello.txt.asc", "r") as fobj:
status = gpg.verify_file(fobj)
print(status.valid)
A few points to remember
- If possible encrypt on memory
- Only save the encrypted file on disk
- Do not keep the Private key in the same web-app server
- Use a very strong passphrase
Stay safe
stay secure
and see you online
Thank you
@anweshasrkr
GnuPG for developers
By dascommunity
GnuPG for developers
- 1,565