Encrypting Supportconfig for Added Security

There are cases where the data on your server is extremely sensitive. In these cases sending information, like the supportconfig, to us using standard methods like email and FTP aren’t secure enough. So what can be done? We can use GPG keys to encrypt the data before it is sent. I’ll give the steps of the process below.

First, on our end, we’ll generate keys that will be valid for 8 weeks(the time can be adjusted if necessary):

hostname:~ # gpg –gen-key
gpg (GnuPG) 2.0.24; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 8w
Key expires at Wed 14 Jun 2017 08:42:39 AM MDT
Is this correct? (y/N) y

Then we’ll be prompted to create a user ID:

GnuPG needs to construct a user ID to identify your key.

Real name: <your name>
Email address: <your email>
Comment: <your name>’s Key
You selected this USER-ID:
“<your name> (<comment>) <your email>”

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

It will next prompt for a passphrase to secure the private key so that not just anyone who has the private key can use the private key. After that, the public key can be exported and sent to you. This key only has the ability to encrypt, not decrypt, so it’s safe to send through email.

hostname:~ # gpg -r “<userID>” –export > file_name.pub

Once you receive the key you can import it.

hostname:~ # gpg –import /path/to/file_name.pub

Before using the public key you can compare fingerprints with the Linux Engineer to make sure they are the same file:

hostname:~ # gpg –fingerprint <user ID>
pub 1024D/6A3212FA 2017-04-19 [expires: 2017-06-14]
Key fingerprint = BF83 FAED 72FF 2517 DB4D 8849 37B3 8885 6A32 12FA

After that’s taken care of you can encrypt the data, such as the supportconfig:

hostname:~ # gpg -r <userID> –encrypt supportconfig.tbz

It will create a file in the directory you ran the command with the same name as the file you encrypted with the added extension of .gpg. You can then send that file safely through FTP or email and we’ll decrypt the file using the private key on our end:

hostname:~ # gpg –decrypt supportconfig.tbz.gpg > supportconfig.tbz

This of course could be used by you as well if you needed someone else to send information to you securely.

As always, I hope I’ve changed all of your lives forever and that this paradigm shift in your lives will mean less work for me.