How to Use GPG to Securely Share Secrets with Your Team
A demonstration of sharing secrets securely using open source tools
Sharing confidential information is a necessity in today’s world, and learning to do it securely has never been more important. This post showcases two different scenarios of securing and sharing Secret Zero, a secret created to protect other secrets, with team members using GPG.
For these examples, we want to use something that is open source and does not take a ton of time to setup and manage. PGP keys can be used to encrypt text and files. GPG is an open-source implementation of it (See: Asymmetric encryption).
Let us consider a team “Alpha” that has team members Alice, Bob and Zac.
Below are steps that each team member follows:
- Download and Install GPG tools from here.
- Create a new key pair with their username, email, and select a password.
Exchange Secrets
Once the key pair is created, each member shares their public key with the team.
From here there are two scenarios:
- Team member needs to share a secret to another.
- Team members store and share a team-shared secret that everyone owns.
Scenario 1
Example: Zac would like to securely share a secret with Alice.
(i) Zac imports Alice’s public key
(ii) Zac encrypts the contents that need to be sent to Alice
Zac uses the GPG services contexts menu, installed as part of GPG tools, to encrypt files/text and selects Alice as a recipient
(iii) Zac sends the encrypted message to Alice.
(iv) Alice decrypts the message using their secret key and passphrase.
Scenario 2
Example: Team Secret Sharing
Team members would like to store and share team-shared secrets between each other.
Bob thinks it’s a great idea to create a team key that can be used to encrypt shared secrets that the entire team needs to know. He creates one.
Bob needs to share the newly created Team Alpha private key with his team members, Alice and Zac. Bob encrypts Team Alpha’s private key and passphrase with each members’ public key (see image below). The Team Alpha public key can be shared openly with the team members, since public keys need not be protected.
Now all team members securely received the team key file and passphrase sent by Bob. They were able to decrypt the content using their own secret key.
Anyone in the team can now encrypt shared secrets and store the encrypted contents in a place that each member of Team Alpha can access.
Shared secrets can also be encrypted using the team key and encrypted contents can then be stored and distributed safely within the team. Only those who belong to the team that has the shared team keys will be able to decrypt the contents.
From the above scenarios you can see how GPG tools can easily protect secrets between two people or entire teams. GPG is a great tool to securely protect and store secret zero.
References and more reading:
