Open in app

Sign in

Write

Sign in

How to Share Sensitive Files With Your Colleagues

Matthew Marcos
Station Five
Published in
8 min readFeb 24, 2019

If you work in a tech company, chances are you will come across the problem of sharing files that you want only one person to have access to. These files could contain secrets, such as passwords, credentials, API keys, or other sensitive information that if viewed by an unauthorised individual, could introduce a cataclysmic risk to your infrastructure.

In this article, I will introduce GPG (Gnu Privacy Guard) and how it can be used to encrypt a file so that only its intended viewer can access its contents. Then we will go through two hypothetical situations where this can be applied. Finally, I will touch on the basics of public key cryptography, and discuss some of its common use cases and the other problems it solves. I hope that after reading this article, you will appreciate how a few simple steps can mitigate one of the major security vulnerabilities you are possibly exposing your company to.

This is a technical article, so if you are a non-developer and struggle with the below, please feel free to leave a question in the comments.

What is GPG?

GPG is a command line tool that comes pre-installed in most linux distributions. It is used by a lot of programs — such as your package manager — behind the scenes. It allows you to generate keys, which are files that contain a seemingly random string of bytes, and enables you to use those keys to encrypt and decrypt files.

What do I need to start using GPG

To make use of GPG, you need to generate a key pair. By doing so, GPG will generate two files — the public key and a private key. These two files are important, so make sure you do not lose either of them. It is also important that nobody should have access your private key. I will explain why shortly, but for now let us generate our key pairs.

How to generate a public key

To generate a key pair, you must first open your terminal. Then type in the following command: gpg --full-gen-key. This is a one-off process and once you have a key pair, you do not need to make a new one unless you lose either one of them or they expire (which you’ll have the option for setting later).

You want to select the default (1). If you’re wondering what the other key types do, here is a brief explanation.

After this, you will be asked to select the key length you want to generate. The longer the key length, the less likely your file can be brute-forced. The trade-off is that it will take a longer time for GPG to generate your keys. Ideally, since this just a one-off process anyway, you might as well generate the longest possible key (4096).

You will be prompted to select the expiration date of your key.

This is something you have to decide on your own. The reason you are given the option to set an expiration date is so when your computer gets compromised (or your key does — regardless if you’re aware of it or not), your key pair will become useless after that specified amount of time, and you don’t have to worry about it anymore. I believe that one year is pretty acceptable unless you change computers more frequently.

After specifying the expiration date, you will be prompted for some of your details. Since this key is something I will be using for work, I entered my company email. It was generated by my laptop, so I will add that to the comments so it can be differentiated from my desktop computer’s key. You will then be asked to enter a password for that key. You need this password every time you want to decrypt something, so make sure you do not forget it. Here’s a good guide on making secure passwords you won’t forget.

Sharing your public key

At this point, GPG should have generated your key pair. If you want people to send you files that only you can read, you need to give them your public key. They will use your public key to encrypt the file so that it is converted into a string of seemingly random bytes that will be useless to everybody but you. It does not matter if the whole world sees the encrypted file — they won’t be able to decipher its contents — unless they have the private key that is matched to the public key used to encrypt the file. This is why you should not share your private key (ah I could not stress this enough).

Ideally you want people to have access to your public key. It is a good idea to attach it to your company email signature. However, there are trusted public registries that can make your public key accessible to everybody. It is like an online phone book and it maps your public key’s id (more on this later) to your public key. If someone wants to send you a file, they can just search for your public key id in that registry then they can encrypt files for you.

To get your public key, type in gpg --armor --output public.gpg --export <email> in your terminal. In your working directory, you should see public.gpg, which is your public key. This is the file you want to share with your officemates. Your public key should look something like this:

-----BEGIN PGP PUBLIC KEY BLOCK-----mQINBFxqeqwBEADltw2GDw3j+QYdT3hpSb1xyYao9GvqF8D1zxQ09LJTrlOpZ9YR
qVjIBGagcEwhHbEfKwTcwCLRDdK0gsKkfVnUEo16vPVvRP5BwFkLsQ5V2PkUqZqo
aB3rdGiYDfBngf2SRp9H0LWKdElE3splRh5PbgpIm4B1E6pm6Vw9egj5qf0cBnTI
Eti3+xjDDmibsn1o2q8XqHiO4iDRYWt6BGAfXBO59vOmKfRALh56YCPdgPWqTyf3
... <more text>
-----END PGP PUBLIC KEY BLOCK-----

To get your public key id, type gpg --list-secret-keys. You will get an output similar to the screenshot below. Your id is the one encircled in red.

One of the popular registries is https://pgp.mit.edu. You can submit your public key there. You then distribute your public key id among your colleagues — you can make an internal catalog for your company — and whenever they need to send you a secret, they just search for that id in the registry. Pretty neat, eh?

When someone wants to send you a file, they will have to encrypt it using your public key. Regardless of how they obtain your public key, once it is in their computer, they can import it with the command gpg --import <public key filename>.

They should get something like this:

How to encrypt a file with a public key

Once the sender has imported the recipient’s public key, they can encrypt a file with the command gpg --output <encrypted file> --encrypt --recipient <receivers_email> <secret file you want to send>

In our case let’s make a super secret file.

Then we encrypt it.

At this point, it should have generated an encrypted version of your secret file. This is the file they will want to send you because it won’t be useful to anybody else.

Just for comparison, let’s take a look at their file contents.

They can email the encrypted file to you and only you can decrypt it.

How to decrypt a file

Once you have received the encrypted file, viewing its contents is easy. You could run gpg --decrypt < nuclear_launch_codes.txt.gpg. GPG will prompt you for your password and display the decrypted contents to your screen. If it is a larger file, you can use the --output option to output the contents to a file.

With the --output option:

Checking for the contents:

There are many reasons to use encryption like these. First, there is the possibility of your email or whatever medium you use to send files being hijacked. Second, if the file was mistakenly sent to the wrong person, then you’re screwed. Finally, god forbid, you forget to lock your computer when you use the washroom in a coffee shop and someone decides to clone your hard drive (how overly paranoid can security engineers be?). At least they cannot decrypt the secret file even with your private key if they don’t have your password.

How will these risks be minimized when encryption has been used?

Let’s go through two hypothetical situations where we can use GPG to share secrets.

The first is a System Administrator giving a Software Engineer the credentials to the admin account of a client’s website in production. Ideally you want to control who has access to these credentials. You cannot just type sensitive information like these into your company’s slack chat. When any member of the team backscrolls a little too much, there’s the possibility that it could catch the eye of a nearby individual with malicious intent.

The second is a lead software engineer sending a performance evaluation report of his team members to his immediate manager. As the lead software engineer, you are in constant communication with your team, and there’s the possibility of sending this report to the wrong person (who is directly involved with its contents). You want to minimize the consequences of human errors like these when they happen.

What is public key cryptography?

What we used here is under what is called public key cryptography, the crux of which is a public and private key are mathematically generated such that you can use the public key to encrypt something and only the person with the private key can decrypt it. There’s no real issue with your public key being disseminated across the interwebz but the problem that this poses is ensuring the validity of the public key (Who really owns this key I am about to use?) — see man in the middle attack. Therefore, third party registries like the aforementioned pgp.mit.edu were made to combat this issue.

Where else has public key cryptography been used?

Public key cryptography is used in the widely popular SSH and is a basis for TLS and other things we take for granted these days.

At any rate, I hope that you appreciate how you can save yourself (and your company) from a lot of the risks that sending in clear-text poses.

Security
Encryption
Cybersecurity
Software Development
Hacking

--

--

Matthew Marcos
Station Five

Written by Matthew Marcos

7 Followers
Writer for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams