Link to home
Start Free TrialLog in
Avatar of enthuguy
enthuguyFlag for Australia

asked on

gpg decrypt scenario on an immutable server.

Hi,
In relation to this gpg key
https://www.experts-exchange.com/questions/29182394/PGP-Keys-Tool.html

I generated the key on a EC2 Linux instance, which might get terminated anytime. In this case, if I lose this instance ....I cannot decrypt anymore? what is the best practise to save the gpg private key and reuse them on a immutable ec2 server pls

sorry, I'm new to GPG, please guide me
Avatar of arnold
arnold
Flag of United States of America image

You are not limited where the keys can exist.
You can have the keys in multiple places , the important part is to maintain the passphrase.
The issue with multiple places, deals with keeping track of the passphrase changes.


It is unclear which choice you are talking about or which keys.

Your combining of pgp/gpg with sftp and ssh keys .......

One deals with securing the data while the other deals with securing the transfer.


Avatar of enthuguy

ASKER

Sorry, I gave info with my limited knowledge

Talking about receiving encrypted files with my gpg pub key.

If sftp server terminated and launch a new server from this server how to decrypt it. Assume I have passpharse somewhere and I can get it easily.

Do I need private key on this server? Or there is no private key concept in gpg

Sorry again for silly questions 





Two different things.
Ssh keys are used to authenticate the user to transmit information.
The underlying file is visible and accessible. On both ends, ithe data stream is encrypted in transit. Consider it this way.
SFTP is like the armored vehicle transporting an item from one point to the other.
Pgp/gpg is what secures a package.
person B previously sent an unlocked case.
At point A the pickup is for an envelope and a locked case.
The armored crew picks them both up. And delivers them to Point B.
Person A to whom the envelope is addressed, uses a letter opener to view the contnet.
Person B, to whom the locked case was sent, uses his thumb print to unlock the case.


GPG (generally only used for email), usually you'll generate one locally, then push/share the public key with email recipients.

For ssh, you'll use ssh-keygen, the push/concatenate the public key into the EC2 instance /root/.ssh/authorized_keys file... however you do this...
Suggestion: Split GPG + SSH key questions into 2x separate questions, as they're completely different beasts with no cross over of function.
ASKER CERTIFIED SOLUTION
Avatar of Giovanni
Giovanni
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks arnold for explanation, starting to get the basics out of it.
@David, thx....yes will keep it two different methods.

Thanks @Giovanni, thats exactly I was struggling. Since I have zero knowledge I wasnt able to explain well in EE :)
Now I know how to export and import if I create a server ground up.

Few more clarifications please
1. When I executed gpg --list-secret-keys, I received two set of sec,uid,ssb. using same email address. Does it mean I have two keys?

sec   2048R/9A8A81BB 2020-05-18 [expires: 2025-05-17]
uid                  firstname lastname (docgen gpg key for external system to send encrypted files) <firstname.lastname@example.com>
ssb   2048R/368D3926 2020-05-18 [expires: 2025-05-17]


sec   2048R/B28DDEBC 2020-05-18 [expires: 2025-05-17]
uid                  firstname lastname (docgen gpg key for external system to send encrypted files) <firstname.lastname@example.com>
ssb   2048R/407F1012 2020-05-18 [expires: 2025-05-17]

Open in new window


2. How to share the public keys to the Client, so they can encrypt files before sending. Like below and provide the mypublickey-gpg.asc ?
gpg --output mypublickey-gpg.asc --armor --export <emailid>

Open in new window


3. Once I received the encrypted file, how do I decrypt it? should I use my private key to decrypt or if I have the key imported, it will recognise and decrypt automatically ?

Sorry again for the stupid questions. Kindly please help

1, possibly. Did you generate one dsa and one rsa or generates altering key length? Or for different purposes?
2) if you have two or multiple. The asc file based on email will include all public keys. The encrypting side if not mistaken, will need to specify which to use out of the available.
You could also register your public key with public keyservers to which you can refer the person to locate your public.
Note, in this case, you have to manage these in case you need to revoke one you intend to stop using..
3) gpg --decrypt file.asc > resultingfile.asc
You will be prompted for the passphrase if your seckeyring includes ....
Thanks again! :)

Our scenario is, we want the client to send the encrypted file to us and we decrypt them. We wanted to use gpg/pgp to help us here.

I was thinking
1. We generate gpg keys.
2. Share with the client.
3. Client uses this key to encrypt and send us the file (sftp)
4. We receive the file and decrypt it.
5. Since we wanted this in a fully automated way. I believe we can use --passphrase-file <passphrasefile>

Open in new window


1. Is this the right way of sharing the public key to the client
gpg --output mypublickey-gpg.asc --armor --export <emailid>

Open in new window


2. After receiving, what i'm learning from all your suggestions/input. As long as the key and the passphrase available on the target server. We should be able to decrypt ?

Please help me help with above two

yes.

You can have a process that decrypts and places the resulting file into a DB or another way that you can access it. potentially you know what you are expecting..
the process would monitor the folder where you have your SFTP server and where the person would drop the file.

You could also use the environment variable parameter that sets the passphrase to avoid having the passphrase part of the process list if you are including it on the command line and you have users on the system where sftp.

Depednign on your version of gpg, running a gpg-agent with gpg-preset-passphrase for this service account where .....https://www.gnupg.org/documentation/manuals/gnupg/gpg_002dpreset_002dpassphrase.html

Thanks very much!