Developers, devops, webops, and sys admins often need to share very sensitive information with each other (like cartoon drawings mocking their bosses). Seriously, though, there is a right and wrong way to share or send passwords and credentials to other team members or clients. Typing a password into an email and sending it off on the wire is the wrong way.

So how do we send passwords securely by email? What is a secure way to pass credentials between team members?

The short answer is to use GnuPG (or gpg for short) to encrypt files and send them by email. What follows is a set of instructions for encrypting sensitive information like API keys and passwords to send by email, or some other means of electronic communication. Once you get set up, it's really easy to encrypt files on Mac OSX, Ubuntu, and other Unix based systems using gpg.

Aside: I don't cover Windows here; it's probably more complicated than I want to get into.

Check for GnuPG on Your Machine.

Open a terminal and type this command, which should work on both Ubuntu and Mac OSX:

which gpg

If you get nothing, you don't have GnuPG, but if you get something similar to /usr/local/bin/gpg then it is already installed.

Install GnuPG (if you don't have it).

On Ubuntu you can do this really easily from the terminal with the command:

sudo apt-get install gpg

On Mac OSX it gets a little more involved but not too bad. If you have Homebrew, I've been told you can just open a terminal and run this:

sudo brew install gpg

I've never tried that method, so I can't vouch for it. Intstead, I built GnuPG on my Mac OSX box with this series of commands:

curl -O ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.11.tar.bz2
tar -xzf gnupg-1.4.11.tar.gz 
cd gnupg-1.4.11
./configure
make
make check
sudo make install

Do a quick Google to make sure you have the latest version of GnuPG that you want. I actually followed a more detailed set of instructions for installing GnuPG on OSX , and you might want to check that out too.

Generate a Key

Again, open up a terminal, and then run:

gpg --gen-key

That command will run you through a series of interactive options on the command line:

  • Select what kind of key you want: choose (1) RSA and RSA
  • What key size do you want?: 4096 (Why not choose the largest number possible?)
  • Specify how long the key should be valid: 3m (see discussion below)
  • Real name and email (self explanatory).
  • Email Address (self explanatory).
  • Comment (whatever, but keep it short).
  • Password: Write something long and memorable.

GnuPG will puke 10 or 12 lines on your terminal and then you can run gpg --list-keys to see your new key. To delete a key, just run gnu --delete-key <description>.

Valid Date

The valid date is basically just an expiration date for your key. It's a good idea to set a valid date on your key so that any files you encrypt with it cannot be opened indefinitely. I like to set the expiration date 3 months away, which forces me to keep my key fresh. For more sensitive information you can tighten this time window by a lot.

Create a Public Half for Your Key

This is pretty easy too. In the terminal, run:

gpg --armor --output mypubkey.asc --export <my_description>

The mypublickey.asc argument can be a full path to where you want the public key file saved, and the <description> argument can just be your real name that you used to create your key. If you forget what value you used for "Real Name" then you can get it easily with gpg --list-keys.

Once you have this public file for your key, you can safely email it to anyone who you're going to be sharing encrypted information with.

Review so Far

The reason this whole thing is going to work is that when you send your public key file to somebody, they can use it to encrypt a file, and you'll be the only person on the planet capable of decrypting it. That is, unless you "misplace" your private key and somebody else happens to get their hands on it. Which is why you use a strong password and an expiration date on the key when you create it.

On the other hand it's totally safe to pass your public key by email. The only thing anybody can do with it is encrypt messages for you to decrypt with your private key. That's why it's called asymmetric key cryptography. In fact, you can completely put on the geek sauce and post your public key on your website so your friends and family can wonder over just how strange you've really become.

Remember: The public key can be very public but the private key must be kept very private. Not too hard, right?

Get a Public Key so You Can Encrypt a File

To encrypt and send a file to somebody you first need to send them to this blog post and tell them to follow the instructions for creating a key pair; the private key and the public key. They need to remember to keep their private key private and send the public key to you. Attaching the public key as a plain text file to an email is a good way of doing this.

Once you have the public half of your friend's asymmetric key pair you can import it into GnuPG.

Import Your Friends' Public Keys Into GnuPG

Assuming your friend called their public key file mypubkey.asc you can import it quite simply by firing up your terminal (again) and running this command:

gpg --import mypubkey.asc

Make sure the mypubkey.asc argument is the full path to wherever you saved your friend's key. You can see the key has been imported into GnuPG by running:

gpg --list-keys

When you run that you should see a new listing for your friend's key.

Encrypt Your File of Secrets

First, compose your file of secrets that you're going to pass to your friend. Then, assuming you have already imported your friend's public key in GnuPG, you're going to encrypt your file of secrets with it. You do that by opening a terminal (you might as well just keep it open like a good geek) and run this command:

gpg --encrypt --recipient <key_id> mysecrets.txt

The <key_id> argument should be the name of your friend's key. Again, you can see the names of all the keys you have by running gpg --list-keys. The mysecrets.txt argument should be the full path to the file of secrets that you want to encrypt.

When it's all said and done, GnuPG should have spit out the encrypted version of your file of secrets as a new file called mysecrets.txt.gpg. Now you can attach mysecrets.txt.gpg to an electronic mail message (the kids call it "email") and send it off to your friend.

Decrypting Your File of Secrets

Remember to tell your friend in the electronic mail message you just sent them to come back to this blog post and follow these instructions for decrypting your file of secrets.

Once they download the mysecrets.txt.gpg file you sent them, all they have to do is open a terminal and run this:

gpg --output newfile.txt --decrypt mysecrets.txt.gpg

Of course the mysecrets.txt.gpg file is the file of secrets that you sent to them and newfile.txt is the path where they want GnuPG to save the decrypted file.

Fin

That should do it. Now you can pass super secret files to all your friends and family. It's just like being a kid with your own backyard secret society again.

OK, well practically speaking this is the standard for passing system credentials and web service keys to team members who need them. Your file of secrets could be the API keys to your email parsing service or the full stack of credentials for your Amazon Web Services account. You don't want to be passing these things around by email without encrypting them, and public key (asymmetric) cryptography is the gold standard for doing this.