How I use GPG in my day to day workflows

📆 · ⏳ 6 min read ·
# engineering # security
·

Introduction

In the previous blog, I talked about what is GPG and why you should start using it. In this post, I will go over how I use GPG in my day to day workflows.

If you haven’t read the previous blog, I highly recommend you to read it first to understand what GPG is since I won’t be going over those here.

Encrypting and decrypting files

GPG, like any other encryption tool, can be used to encrypt and decrypt files. I use GPG to encrypt sensitive files that I want to store on my computer or backup to cloud. If you have read other blog posts that I have shared around homelabbing and self-hosting, you know that when I share about self hosting a service, I try to talk through the backup strategy as well.

One of the step in my backup strategy is to encrypt all the backup files. I use GPG to encrypt the files/folders and then upload those to the cloud as off-site backups. This way even if someone gets access to my cloud storage, they won’t be able to access the files without decrypting them. It goes without saying that I don’t store the GPG keys on the cloud (although you would still need to know the passphrase to decrypt the files, I am a bit paranoid about storing the keys on the cloud).

So here are some of the common commands that I use to encrypt and decrypt files:

Encrypting a file

Terminal window
gpg --encrypt --recipient <recipient> <file>

The <recipient> is the email address / uid that you used when you created the GPG key and <file> is the file that you want to encrypt.

In case I want to encrypt multiple files, I usually create a tarball and then encrypt the tarball since with tar you can maintain the directory structure as well as the file permissions. The command would look something like this:

Terminal window
tar -czf - <files> | gpg --encrypt --recipient <recipient> > <output-file>.tar.gz.gpg

So suppose if I have these three files and I want to encrypt them:

file1.txt
file2.txt
file3.txt

Then the command would look something like this:

Terminal window
tar -czf - file1.txt file2.txt file3.txt | gpg --encrypt --recipient <recipient> > files.tar.gz.gpg

Now I would upload the files.tar.gz.gpg to the cloud.

Decrypting a file

Encrypted data is only good if you can decrypt and retrieve the original data. To decrypt a file, you can use the following command:

Terminal window
gpg --output <filename> --decrypt <gpg_filename>

Pretty straightforward, right? Once you hit enter with this, it will ask you for the passphrase that you used to encrypt the file and then it will decrypt the file.

Here the <filename> is the name of the file that you want to save the decrypted data to and <gpg_filename> is the name of the gpg encrypted file that you want to decrypt.

Considering the same example as we did for encryption, let say our encrypted file is files.tar.gz.gpg, then the command to decrypt it would look something like this:

Terminal window
gpg --output files.tar.gz --decrypt files.tar.gz.gpg

This will decrypt the file and save it as files.tar.gz in the current directory. You can then extract the tarball using the tar command:

Terminal window
tar -xzf files.tar.gz

And you have your original files back.

🙏🏾

I purposefully gave example of encrypting multiple files via tar since it is a common use case for me. But the steps for the single file encryption/decryption are the same, and infact one less step since you don’t need to convert/extract the tarball.

Signing git commits

Apart from encrypting files, I also use GPG to sign my git commits. Now I have written about how you can use GPG to sign commits in the previous post so instead of repeating the same content, I will just link to the section where I talk about signing git commits with GPG.

This overall adds an extra layer of security to my git repository. If you are working on a project with multiple collaborators, it is a good practice to sign your commits with GPG so that you can verify that the commit was made by the person who claims to have made it.

Password management

Did you know there is a package called password-store ↗️ or pass which uses GPG encryption to store passwords? It is a simple and secure way to store passwords and other sensitive information.

Basically this is how it works, first install the package using your package manager:

Terminal window
sudo apt install pass

Then you can initialize the password store:

Terminal window
pass init <gpg-id>

Here the <gpg-id> is the email address / uid that you used when you created the GPG key. This will create a directory in your home directory called .password-store where all the passwords will be stored.

Now you can create a password entry:

Terminal window
pass insert <entry-name>

This will ask for a password and then store it in the password store. You can then retrieve the password using:

Terminal window
pass <entry-name>

Now comes the best part, you can use pass to initialize a git repository and push the password store to a remote git repository. This way you can have a backup of your passwords and access them from anywhere.

Terminal window
pass git init
pass git remote add origin <remote-url>
pass git push -u origin master

Since all your passwords are encrypted with your GPG key, you can be sure that even if someone gets access to your password store, they won’t be able to access the passwords without decrypting them. However I would still recommend to push it on a private repository and not a public one.

Since I use Vaultwarden for my password management, I don’t heavily use pass but it is a good tool to have in your toolbox.

Secure communications

I also use GPG for secure communications. If I have to share sensitive information with someone, I usually encrypt the message using their public GPG key and then share the encrypted message with the recipient. The recipient can then decrypt the message using their GPG key.

Likewise if you want to send me a secure message, you can encrypt the message using my GPG public key and then share the encrypted message with me. I can then decrypt the message using my GPG key.

While I don’t use this feature as often to be honest, but it is good to know that I have the option to securely communicate with someone if needed.

Conclusion

GPG is a powerful tool that allows you to encrypt and sign your data and communications. In this post, I shared how I use GPG in my day to day workflows. I use GPG to encrypt files that I want to store on my computer or backup to the cloud. I also use GPG to sign my git commits to add an extra layer of security to my git repository.

If you have any questions or suggestions, feel free to reach out to me on Twitter ↗️ / Reddit ↗️.

See you in the next one. đź‘‹

Share on

Share on Twitter

Need help with your software project? Let’s talk

Previous Article

What is GPG and why you should start using it

Next Article

Tailscale — Accessing Homelab services outside my network

You may also like

  • # engineering# security

    What is GPG and why you should start using it

    GPG is a tool that allows you to encrypt and sign your data and communications. In this post, I will explain what GPG is and why you should start using it in your workflows if you aren't already.

  • # engineering

    Learning Through Building — Engineering Advices

    Over the years, I have learned a lot of things through building projects. In this post, I will be sharing some of the advices that I have learned through my journey.

  • # git# engineering

    Selecting the Right Git Merging Strategy: Merge Commit, Squash and Merge, or Rebase and Merge

    Uncover the intricacies of Git merging strategies – merge commit, squash and merge, and rebase and merge. Discover the pros and cons of each approach and learn how to navigate the decision-making process based on your project's dynamics and team preferences.