Like most people*, I use GPG everyday. Although most often associated with email, that’s usually not what I use it for. Here are a couple of ways that I do.
I used to use LastPass as my password manager, and it was nice and convenient. But it always bothered me that my password vault was located in the cloud. I researched it and cryptographers vouched for it, but I was still paranoid. Here is a list of concerns that I had:
- Do they use and save keys or is my key generated on my machine?
- Are they making copies of my data?
- Are they scrubbing and deleting my data when I stop using their service?
- What if they’re subpoenaed by the government or receive a secret NSA warrant? How would I even know?
- Is the code open source? Can it be audited?
- What about their security?
And companies and governments lie, especially when either money or privacy (or both) is concerned.
Yes, I realize that it could be just as easy for a determined adversary to get into my box as a cloud service. But, and this is important to me, I know how my data is encrypted, I know where it is at all times, and I know that my key is protected by a passphrase even if my box is compromised.
End-to-end File Encryption
I have lots of super secrets on my machine that I don’t want anyone else to see. To be honest, I really don’t, but that’s not the point of privacy and encryption. Often what I’ll do is tar up files or whole directories and then encrypt that with my key. I can then store that anywhere I please in the cloud. For instance, I can push my encrypted password vault to the cloud and then pull that down onto any machine that I want, and everything is in sync.
Signing is pretty ubiquitous. Sometimes I’ll sign a file to send to a friend, not just so they know it was from me but that they also know that no bits were fiddled with in transit. But since this post is limited to how I use GPG every day, I’ll limit it to one particular example.
GitHub added the nice feature of commit signing with your GPG key. Here is a snippet from my
.gitconfig file that shows the pertinent bits:
[user] name = Benjamin Toll email = email@example.com signingkey = B331L33T [alias] br = branch # -S = GPG-sign commit. ci = commit -S ca = commit -S --amend ...
Who Needs GPG Browser Plugins?
Encrypt and paste into web mail:
cat << eof | gpg -ear firstname.lastname@example.org | xsel -b
cat | gpg -d
Sign and paste into web mail:
cat << eof | gpg --clear-sign | xsel -b
* I just chortled.