GPG Notes
I generated my key pair on catness
Generate key pair
-
gpg --gen-key
I used RSA and RSA
4096 bytes
My google details
0 expiry
It took ages to generate
Check:
-
gpg --list-keys
Export my public key
-
gpg --armor --export rmetcalf9@googlemail.com > /home/robert/otherGit/Personal_Infrastructure/rmetcalf9.publickey
(I put it in the root of my personal infrastructure repo.)
Import public key
For my website I transfer the public key file via ansible (global machine setup) and use the following command:
-
gpg --import ~/rmetcalf9.publickey
Need to add trust to the key to stop encrypt process prompting:
-
gpg --edit-key rmetcalf9@googlemail.com
Trust the key (type trust)
https://www.gnupg.org/gph/en/manual/x56.html
Decrypt file
-
gpg --output ${OUTPUT_FILE} --decrypt ${INPUT_FILE}
Back up my key goes in my catness documents dir backup still needs pass phrase
-
gpg --export-secret-key -a "rmetcalf9@googlemail.com" > rmetcalf9.privatekey
I also keep it in other locations
OLD OpenSSL Backup process is below (was node 285 on code2
I use public keys for my backup using a method similar to the one found here "http://askubuntu.com/questions/95920/encrypt-tar-gz-file-on-create"
I have a public key and private key stored in my static backup directory.
The public key is needed to create a backup.
The private key is needed to restore a backup.
For a backup file xxx.tar.gz:
Generate a random passphrase and put it into a file key.txt
Encrypt the backup tar with the random pass prase. xxx.tar.gz.enc
Encrypt the key.txt with my public key from rjm_static_secret folder xxx.tar.gz.key
Upload xxx.tar.gz.dat and xxx.tar.gz.key to online and offline backup locations
Example
-
openssl rand 128 -out ${ENCDIR}/key.txt
-
openssl enc -aes-256-cbc -pass file:${ENCDIR}/key.txt < ${ENCDIR}/catness_encrtpyed.tar.gz > ${CATNESS_BACKUP_DIR}/${NEWNUM}_catness_encrtpyed.tar.gz.enc
-
openssl rsautl -encrypt -pubin -inkey ${PUBKEYFILE} < ${ENCDIR}/key.txt > ${CATNESS_BACKUP_DIR}/${NEWNUM}_catness_encrtpyed.tar.gz.key
To Restore xxx.tar.gz
Download xxx.tar.gz.dat and xxx.tar.gz.key to online and offline backup locations
Get access to private key in rjm_static_secret folder
decrypt xxx.tar.gz.key to give me key.txt
decrypt xxx.tar.gz.dat to give me data
Example
-
DOWNLOADED_ENCKEY=/home/robert/Documents/backups/catness/0002_catness_encrtpyed.tar.gz.key
-
DOWNLOADED_ENCFILE=/home/robert/Documents/backups/catness/0002_catness_encrtpyed.tar.gz.enc
-
STATIC_SECRET_DIR=/home/robert/Documents/backups/rjm_static_secret
-
OUTPUT_FILE=/home/robert/Documents/backups/unencrypted.tar.gz
-
-
openssl rsautl -decrypt -inkey ${STATIC_SECRET_DIR}/key.pem < ${DOWNLOADED_ENCKEY} > ${DOWNLOADED_ENCKEY}.notencrypted
-
openssl enc -aes-256-cbc -d -pass file:${DOWNLOADED_ENCKEY}.notencrypted < ${DOWNLOADED_ENCFILE} > ${OUTPUT_FILE}
-
rm ${DOWNLOADED_ENCKEY}.notencrypted
Generating rjm_static_secret folder
Created the folder in catness encrypted location first
launched bash and went into the directory.
Generated keys:
-
openssl genrsa -out key.pem 4096
-
openssl rsa -in key.pem -out key-public.pem -outform PEM -pubout
Finally I needed to create an encrypted version of this directory I can safely put on family PC's:
(run from parent directory)
-
tar -cvpzf rjm_satic_secret.tar.gz rjm_static_secret
-
openssl enc -aes-256-cbc -pass file:<( echo -n "PPP" ) < rjm_satic_secret.tar.gz > rjm_satic_secret.tar.gz.enc
-
rm rjm_satic_secret.tar.gz
Change PPP to real password
The public key can go to any location where I must make backups.
Retrieving unencrtpyed rjm_static_secret folder
Get the encrypted one. In the same directory as it run the following:
-
openssl enc -aes-256-cbc -d -pass file:<( echo -n "PPP" ) < rjm_satic_secret.tar.gz.enc > rjm_satic_secret.tar.gz
-
tar -xvzf rjm_satic_secret.tar.gz
-
rm rjm_satic_secret.tar.gz
openssl rand 32 -out key.txt