How to encrypt data using the PGP Public Key of an organization/entity
We used this batch of notes to encrypt email communication between us and the https://www.offensive-security.com/ website contact. Precisely, we needed to encrypt some email attachments with sensitive data.
First of all, we tried to get their PGP Public Key from https://www.offensive-security.com/registrar.asc using
curl -O https://www.offensive-security.com/registrar.asc;
We soon realized that the data were binary because their webserver or CDN compressed the response.
$ file registrar.asc registrar.asc: gzip compressed data, from Unix, original size modulo 2^32 7487
So we modified our curl command to decompress the response automatically:
curl --compressed -O https://www.offensive-security.com/registrar.asc;
After receiving the plaintext version of the
registrar.asc file, we were able to proceed with the encryption steps. The first thing we did was to import their key:
gpg --import registrar.asc;
$ gpg --import registrar.asc gpg: key 6C12FFD0BFCBFAE2: 9 signatures not checked due to missing keys gpg: key 6C12FFD0BFCBFAE2: public key "Offensive Security (Offensive Security Registrar) <[email protected]>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: next trustdb check due at 2023-12-13
Using the following command, we were able to encrypt the sensitive data and send them to via mail:
gpg --recipient [email protected] --encrypt sensitive.mp4;
The PGP command automatically used the public key that we imported in the previous step to perform the encryption. PGP named the encrypted file
sensitive.mp4.gpg. We only needed to send that file, and the corresponding party had all other information to decrypt it.
Bonus: Create our own public Key so that people can contact you with encryption
Executing the above command asked us to provide a name, an email, and a password to encrypt the data. Below is the sample output generated for us:
$ gpg --gen-key gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Note: Use "gpg --full-generate-key" for a full featured key generation dialog. GnuPG needs to construct a user ID to identify your key. Real name: John Doe Email address: [email protected] You selected this USER-ID: "John Doe <[email protected]>" Change (N)ame, (E)mail, or (O)kay/(Q)uit? O We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key A53FEA7768D67D2A marked as ultimately trusted gpg: revocation certificate stored as '/home/john/.gnupg/openpgp-revocs.d/D1660B83341AEF2852A2A4C6A53FEA7768D67D2A.rev' public and secret key created and signed. pub rsa3072 2021-12-13 [SC] [expires: 2023-12-13] D1660B83341AEF2852A2A4C6A53FEA7768D67D2A uid John Doe <[email protected]> sub rsa3072 2021-12-13 [E] [expires: 2023-12-13]
Then, we exported our public key using the command below.
gpg --export --armor --output john.asc [email protected];
Sending this file to other people or putting it on a public key server allows people to encrypt data just for you to read.