GPG With Multiple Recipients
This is how to store sensitive information (e.g. SSL key passphrases) in a GPG encrypted file with multiple recipients. If you’re using git to store the file (which you probably should be), always do a git pull before doing any changes. These files are binary and therefore merges are very difficult otherwise.
Setting up your GPG key
Almost every server and desktop distro already has GPG installed. If you want to do this on Windows then Google is your friend.
$ gpg --gen-key
The following settings should be good to go:
- Keysize 4096 (cpu is cheap, and the NSA/GCHQ have lots of it)
- 5y (5 years)
There is no harm in having multiple email addresses (UIDs) and/or mixing work/home.
Pick a sensible passphrase (see the following link but do not use correct horse battery staple). https://xkcd.com/936/
Back up your key somewhere sensible and don’t forget your passphrase (there’s no recovery option).
Find your key ID:
$ gpg --fingerprint email@example.com pub 4096R/18BCAD4F 2014-03-24 [expires: 2019-03-23] Key fingerprint = 47AF 7F1F 7902 3375 A928 D4E1 2093 6706 18BC AD4F uid Tom Taylor <firstname.lastname@example.org> uid Tom Taylor <email@example.com> sub 4096R/BEAE11DC 2014-03-24 [expires: 2019-03-23]
In the above example, the key ID is 18BCAD4F
Send it to the public key servers
$ gpg --keyserver hkp://pgp.mit.edu --send-key KEYNAME
Then ideally get it signed by some of your colleagues and re-uploaded. pius is a really good tool for doing this easily.
Also, it’s a good idea to generate a revokation certificate and store it with your gpg setup.
$ gpg --output .gnupg/revoke.asc --gen-revoke KEYNAME
Installing GPG plugin for vim
This is the easiest bit and will save you from a lot of the pain that comes with using GPG.
$ mkdir ~/.vim/plugins $ wget -O ~/.vim/plugins/gnupg.vim http://www.vim.org/scripts/download_script.php?src_id=12200
This allows you to open an already encrypted file as if it were an ordinary text file if you have a gpg agent running. If not then you are prompted for your passphrase
Saving a new encrypted file
First, make sure you have a copy of all of the public keys of the other people wou want to share information with. To get these, run
$ gpg --recv-key THEIRKEYID
You can check what you have already got with
$ gpg --list-keys
Save your file as a regular text file and then run the following command to encrypt
$ gpg --encrypt --recipient PERSONAKEY --recipient PERSONBKEY --recipient PERSONCKEY file
Your new file will be called file.gpg. Now delete the original and store the gpg file in git! Revision control is very important.
Working with an encrypted file
The aforementioned vim plugin makes this super easy. Just vim file.gpg and the plugin deals with all fo the work. Save as normal, commit and push.