Document PGP, RAM Disks, and Symmetric Encryption #107
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,206 @@ | ||
| # Encryption | ||
| Various techniques for securely working with sensitive data on Linux. | ||
|
|
||
| <!-- contents box begin --> | ||
| <table> | ||
| <tr/> | ||
| <tr> | ||
| <td> | ||
| <p/> | ||
| <div align="center"> | ||
| <b>Contents</b> | ||
| </div> | ||
| <p/> | ||
| <!-- contents markdown begin --> | ||
|
|
||
| 1. [Asymmetric Encryption](#asymmetric-encryption) | ||
| 1. [Create a PGP Key Pair](#create-a-pgp-key-pair) | ||
| 1. [View Your Key Pair](#view-your-key-pair) | ||
| 1. [Share Your Public Key](#share-your-public-key) | ||
| 1. [Import a Public Key](#import-a-public-key) | ||
| 1. [Encrypt a Message](#encrypt-a-message) | ||
| 1. [Decrypt a Message](#decrypt-a-message) | ||
| 1. [Symmetric Encryption](#symmetric-encryption) | ||
| 1. [Encrypt](#encrypt) | ||
| 1. [Decrypt](#decrypt) | ||
| 1. [See Also](#see-also) | ||
|
|
||
| <!-- contents markdown end --> | ||
| <p/> | ||
| </td> | ||
| </tr> | ||
| </table> | ||
| <!-- contents box end --> | ||
|
|
||
| ## Asymmetric Encryption | ||
| Asymmetric encryption uses a pair of keys to encrypt and decrypt data, a public key that can be shared with anyone and a private key that needs to be kept secret. The public key is used to encrypt secret data, resulting in cyphertext that can be sent over the Internet. The recipient uses their private key to decrypt it. This is useful for securely sharing data with others. | ||
|
|
||
| To securely share secrets with others, for example to send service account credentials with a colleague on your team who does not use a [password manager](https://bitwarden.com), you can use PGP. | ||
|
|
||
| ### Create a PGP Key Pair | ||
| Before you can send or receive PGP messages, you need to create a key pair. You can do this with [GnuPG](https://gnupg.org). | ||
| 1. Install `gpg` if you don't already have it. | ||
| - On Debian-family Linux: | ||
| ```bash | ||
| sudo apt-get install -y gpg | ||
| ``` | ||
| - On macOS, you can install it using [Homebrew](https://brew.sh): | ||
| ```bash | ||
| brew install gnupg | ||
| ``` | ||
| - On Windows, you can install it using [Chocolatey](https://chocolatey.org): | ||
| ```powershell | ||
| choco install gpg | ||
| ``` | ||
| 1. Use your [password manager](https://bitwarden.com) to generate a strong, unique passphrase for your key pair. You will need this passphrase to decrypt messages. | ||
| 1. Generate a new key pair. | ||
| > When you run this next command, it will ask you for a passphrase to protect your key...and you will not be able to click outside the dialogue box. So, if you use a password manager, copy your passphrase to your clipboard before running this command. | ||
| ```bash | ||
| gpg --batch --gen-key <<TXT | ||
| Key-Type: RSA | ||
| Key-Length: 4096 | ||
| Subkey-Type: RSA | ||
| Subkey-Length: 4096 | ||
| Name-Real: Bill Gates | ||
| Name-Email: [email protected] | ||
| Expire-Date: 2024-10-01 | ||
| TXT | ||
| ``` | ||
| If that command doesn't work for you then you can generate a key pair manually by answering some questions. Pick either "RSA and RSA" and use a key length of at least 2048 bits, or pick "ECC and ECC" and use `ed25519` or any `NSIT` curve with a key length of at least 256 bits. | ||
| ```bash | ||
| gpg --full-generate-key | ||
| ``` | ||
| On the last step, be sure to press `o` for "okay" to generate the key pair. | ||
|
|
||
| ### View Your Key Pair | ||
| You can see what key pairs you have on your computer using this command. | ||
| ```bash | ||
| gpg --list-keys | ||
| ``` | ||
|
|
||
| ### Share Your Public Key | ||
| You need to share your public key to receive encrypted messages. This command will print it out: | ||
| ```bash | ||
| gpg --armor --export [email protected] | ||
| ``` | ||
| You can then copy and paste the output into an email or IM, including the `-----BEGIN PGP PUBLIC KEY BLOCK-----` and `-----END PGP PUBLIC KEY BLOCK-----` lines. Alternatively, you can save it to a file and attach that to your message. | ||
| ```bash | ||
| gpg --armor --export [email protected] > public-key.asc | ||
| ``` | ||
|
|
||
| ### Import a Public Key | ||
| If someone sends you their public key, you can import it using this command: | ||
| ```bash | ||
| gpg --import public-key.asc | ||
| ``` | ||
| Or, if you are copying and pasting it from an email or IM, you can do this: | ||
| ```bash | ||
| gpg --import <<TXT | ||
| ``` | ||
| Then paste the key block, and finish with: | ||
| ```bash | ||
| TXT | ||
| ``` | ||
| You will see their name, email, and key here: | ||
| ```bash | ||
| gpg --list-keys | ||
| ``` | ||
|
|
||
| ### Encrypt a Message | ||
| You can encrypt a message using someone's public key. This command will encrypt a file: | ||
| ```bash | ||
| gpg --encrypt --recipient [email protected] message.txt | ||
| ``` | ||
| This will create a new file in the current directory called `message.txt.gpg` which you can send to the recipient. | ||
|
|
||
| You can encrypt any file, such as an archive. | ||
| ```bash | ||
| gpg --encrypt --recipient [email protected] archive.tar.gz | ||
| ``` | ||
| This would create `archive.tar.gz.gpg`. | ||
|
|
||
| You can also encrypt text directly: | ||
| ```bash | ||
| echo 'Hello, World!' | gpg --encrypt --armor --recipient [email protected] | ||
| ``` | ||
| This will print out the encrypted message, which you can copy and paste into an email or IM. | ||
|
|
||
| You can securely delete your secrets with `shred`... | ||
| ```bash | ||
| shred -uvz example.txt | ||
| ``` | ||
| ...or `wipe`... | ||
| ```bash | ||
| wipe -fr example-dir | ||
| ``` | ||
| ...if you want. You may need to install them. | ||
|
|
||
| ### Decrypt a Message | ||
| If someone sends you a PGP message, you can decrypt it using your private key and passphrase. | ||
|
|
||
| To decrypt a file: | ||
| ```bash | ||
| gpg --decrypt message.txt.gpg | ||
| ``` | ||
| Or an archive: | ||
| ```bash | ||
| gpg --decrypt archive.tar.gz.gpg | ||
| ``` | ||
| This will leave the file in the current directory. | ||
|
|
||
| To decrypt text directly: | ||
| > When you run this command, it will ask you for your passphrase to decrypt the message...and you will not be able to click outside the dialogue box. So, if you use a password manager, copy your passphrase to your clipboard before running this command. | ||
| ```bash | ||
| echo '-----BEGIN PGP MESSAGE-----' | gpg --decrypt | ||
| ``` | ||
| This will print out the message in your terminal. | ||
|
|
||
| ## Symmetric Encryption | ||
| Symmetric encryption uses the same key to encrypt and decrypt data. This is useful for encrypting data at rest, such as a backup file or a database dump. | ||
|
|
||
| > [!TIP] | ||
| > For particularly sensitive documents, you may wish to work with them in a [RAMdisk](./ramdisk.md) to avoid writing them to disk at all. | ||
|
|
||
| ### Encrypt | ||
| You can compress and encrypt a file using a symmetric key like this: | ||
| ```bash | ||
| gpg --quiet --symmetric --cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3 --s2k-count 65011712 --compression bzip2 --bzip2-compress-level 9 example.txt | ||
| ``` | ||
| This will leave a file called `example.txt.gpg` in the current directory. | ||
|
|
||
| You can encrypt an archive like this. We will leave off the compression this time. | ||
| ```bash | ||
| gpg --quiet --symmetric --cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3 --s2k-count 65011712 example.tar.gz | ||
| ``` | ||
| The output file would be `example.tar.gz.gpg`. | ||
|
|
||
| You can securely delete your secrets with `shred`... | ||
| ```bash | ||
| shred -uvz example.txt | ||
| ``` | ||
| ...or `wipe`... | ||
| ```bash | ||
| wipe -fr example-dir | ||
| ``` | ||
| ...if you want. You may need to install them. | ||
|
|
||
| ### Decrypt | ||
| Decryption is trivial with `gpg`. | ||
| ```bash | ||
| gpg --output example.tar.gz --decrypt example.tar.gz.gpg | ||
| ``` | ||
| You don't have to specify the cipher or digest algorithms, or the compression level, because `gpg` will figure that out from the encrypted file. | ||
|
|
||
| ## See Also | ||
| Internal resources. | ||
| - [./Tooling](./README.md) ⤴ | ||
| - [../Engineering](../README.md) ⤴⤴ | ||
| - [RAMdisk](./ramdisk.md) - work with files in memory for speed or privacy. | ||
|
|
||
| External resources. | ||
| - [Bitwarden](https://bitwarden.com) - password manager | ||
| - [GnuPG](https://gnupg.org) - the GNU Privacy Guard encryption, decryption, and signing tool | ||
|
|
||
| --- | ||
| > **_Legal Notice_** | ||
| > This document was created in collaboration with a large language model, machine learning algorithm, or weak artificial intelligence (AI). This notice is required in some countries. | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,81 @@ | ||
| # RAMdisk | ||
| You can mount some of your computer's memory to your filesystem in order to perform read/write intensive tasks very, very quickly such as processing large JSON files, or to [work with sensitive documents](./encryption.md) that you don't want to risk writing to disk. This is called a RAM disk. | ||
|
|
||
| <!-- contents box begin --> | ||
| <table> | ||
| <tr/> | ||
| <tr> | ||
| <td> | ||
| <p/> | ||
| <div align="center"> | ||
| <b>Contents</b> | ||
| </div> | ||
| <p/> | ||
| <!-- contents markdown begin --> | ||
|
|
||
| 1. [Preparation](#preparation) | ||
| 1. [Creation](#creation) | ||
| 1. [Destruction](#destruction) | ||
| 1. [See Also](#see-also) | ||
|
|
||
| <!-- contents markdown end --> | ||
| <p/> | ||
| </td> | ||
| </tr> | ||
| </table> | ||
| <!-- contents box end --> | ||
|
|
||
| ## Preparation | ||
| Make a folder to mount the RAM disk to. | ||
| ```bash | ||
| sudo mkdir -p /mnt/ram | ||
| ``` | ||
| Take ownership of that folder. | ||
| ```bash | ||
| sudo chown "$USER:$USER" /mnt/ram | ||
| ``` | ||
| Put a file there so you can tell whether or not a RAM disk is mounted. | ||
| ```bash | ||
| echo 'WARNING: If you can see this, there is currently no RAM disk mounted!' > /mnt/ram/STOP.txt | ||
| ``` | ||
|
There was a problem hiding this comment. Alternatively what I like to do is remove permissions from the empty directory that will be the mount point. That will prevent reading or writing or even looking in to the directory until something is mounted there There was a problem hiding this comment. But then how do you know the mount point exists? Can you please provide an example, if you want me to add it? There was a problem hiding this comment. You don't need to add it. Basically something like Now it's impossible (non-root) to |
||
|
|
||
| Optionally, install `wipe` if you want to delete the contents of your RAM disk immediately instead of waiting for the system to overwrite it. | ||
| ```bash | ||
| sudo apt-get update | ||
| sudo apt-get install -y wipe | ||
| ``` | ||
|
|
||
| ## Creation | ||
| Mount a 16 GB RAM disk. | ||
| ```bash | ||
| sudo mount -o size=16G -t tmpfs none /mnt/ram | ||
| ``` | ||
| Verify your `STOP.txt` file is gone. | ||
| ```bash | ||
| ls -la /mnt/ram | ||
| ``` | ||
| Now you can work there. | ||
|
|
||
| ## Destruction | ||
| Optionally, you can overwrite the contents of your RAM disk immediately instead of waiting on your system to do it after unmounting. | ||
| ```bash | ||
| wipe -fr /mnt/ram/* | ||
| ``` | ||
| Unmount the RAM disk. | ||
| ```bash | ||
| sudo umount /mnt/ram | ||
| ``` | ||
| Verify your `STOP.txt` file is back. | ||
| ```bash | ||
| ls -la /mnt/ram | ||
| ``` | ||
|
|
||
| ## See Also | ||
| Internal resources. | ||
| - [./Tooling](./README.md) ⤴ | ||
| - [../Engineering](../README.md) ⤴⤴ | ||
| - [Encryption](./encryption.md) | ||
|
|
||
| --- | ||
| > **_Legal Notice_** | ||
| > This document was created in collaboration with a large language model, machine learning algorithm, or weak artificial intelligence (AI). This notice is required in some countries. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple other useful tips for basic encryption that aren't mentioned in here:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Both added, with signing now being the default in my examples as it is good practice.