Security, Today I Learned

Encrypting Files

Today I was doing some research into the best way to encrypt files. My main use case was to encrypt my database backups prior to uploading them to cloud storage. So my criteria were:

  • Could be run from the command line as most of my servers are Linux.
  • I didn’t want to give the password as a command line option as this is a potential security vulnerability.
  • Needed to work across platform as I might need to decrypt these files on many different computers e.g. Window, Macs, Linux.

I ended up rediscovering GPG. This is something I played with a long time ago but had forgotten about. I could see straight away it fit the bill. Each key created actually comes with two keys, a public key and a private key. For someone to encrypt a file that only you can read they only need the public key. In order to decrypt the file you need the private key.

I have a server running MySQL and I want to encrypt the database backups so the plan would be:

  • Create a key
  • Upload the public key to the server
  • Change the Trust Level of the key (explained later)
  • Encrypt the file.

My day to day machine is a macbook and I saw that there’s a package which has a bundle of tools to make life easier so I downloaded and installed that. It’s called GPGTools.

The first thing I opened was GPG Keychain as it helps with managing keys. It made it very straightforward.

Create a Key

  • Click New
  • Give it a:
    • Name
    • Email Address
    • A Good Password
  • Click ‘Generate Key’

Uploading the Key

In order to encrypt files using this key I need it’s public key on my server. First I exported the public part using GPG Keychain by right clicking on it and choosing ‘Export’. This saves an ASCII file to the location you specify. To move it to the server you could use SCP, FTP or something similar. I just opened it in a text editor, copied it to my clipboard and pasted it into nano on my server.

Importing the Key

On the server I imported the key:

gpg --import <filename>

To check it’s imported ok you can run the list keys command:

gpg --list-keys

Change the Trust Level

We need to be able to script GPG to encrypt the file without any user interaction as this will be running as a cronjob on the server. For that you need to change the Trust Level of the key.

gpg --edit-key [email protected]

This opens a gpg command line tool. Here just run the ‘trust’ command and select ‘5’ from the list of options. Then confirm with ‘y’.

gpg> trust
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

Encrypt the File

You should now be ready to encrypt your first file.

gpg 
   --output <output_file_name> 
   --encrypt 
   --recipient <email_of_recipient> <input_file_name>

So using the above command to encrypt a file called test.txt into a file called test.txt.gpg for [email protected]:

gpg 
   --output test.txt.gpg 
   --encrypt 
   --recipient [email protected] test.txt