GPG

💡 The main objective of this project was to secure file transfers between two servers using GPG encryption. This measure aims to ensure that sensitive data remains confidential and intact during transmission and storage.

Prerequisites:

Have SSH installed and configured on both servers

1. GPG Installation

• Server 1 and Server 2: GPG was installed on both servers to enable file encryption and decryption. The installation was done via the package manager of each operating system.

sudo apt install gnupg2

2. GPG Key Generation and Configuration

• Key Generation: A pair of GPG keys must be created on Server 1. This includes a public key for encryption and a private key for decryption.

To generate a new GPG key, use the following command:

gpg --full-gen-key

You will be guided through several steps:

• Key Type: Choose RSA and RSA (default) and press Enter.
• Key Size: 2048 bits are sufficient for most users, but 4096 bits offer increased security.
• Key Validity Duration: You can specify a period after which the key will expire (e.g., 1y for one year, 0 to never expire).
• User Details: Enter your name, email address, and an optional comment.
• Passphrase: Set a strong passphrase to protect your private key. We will use a script to encrypt files so we will not enter a passphrase.
• Public Key Export: Export the public key from Server 1 and import it on Server 2 to enable the latter to encrypt files intended for Server 1.

To export the key to a file, use the following command:

gpg --armor --export [email protected] > gpg_pub_key

Then, send the key to server 2 from server 1 using the following command:

scp gpg_pub_key user@IP_server:/path/to/files

To import the key on server 2, use the following command:

gpg --import gpg_pub_key

To list the keys present on server 2, use the following command:

gpg --list-keys

To trust the key on server 2, use the following command:

gpg --edit-key key-id

• Type trust at the prompt gpg>.
• Choose the “level of trust”:
  • 5 for “I trust ultimately” (meaning you are certain the key belongs to you and that you trust it).

Then confirm by typing y and exit by typing quit.

3. Scripting and Automation

• Encryption Script: Develop a script to automate the encryption process of files on Server 2 and their transfer to Server 1.

#!/bin/bash

# Directory containing files to encrypt
directory="/path/to/directory"

# Temporary directory for encrypted files
encrypted_directory="/tmp/encrypted_files"

# Create the temporary directory if it does not exist
mkdir -p "$encrypted_directory"

# Destination server address
server_address="user@IP_server"

# Destination directory on the server
remote_directory="/path/to/files_encrypted"

# Public key for encryption
recipient_email="[email protected]"

# Loop over each file in the directory (without encrypting files already encrypted)
for file in "$directory"/*; do
    if [[ $file != *.gpg ]]; then
        # Encrypt the file
        gpg --yes --encrypt --recipient "$recipient_email" --output "$encrypted_directory/$(basename "$file").gpg" "$file"

        # Check if encryption was successful
        if [ $? -eq 0 ]; then
            echo "Encryption successful: $file"

            # Send the encrypted file
            scp "$encrypted_directory/$(basename "$file").gpg" "$server_address:$remote_directory"

            # Check if the sending was successful
            if [ $? -eq 0 ]; then
                echo "Sending successful: $(basename "$file").gpg"
            else
                echo "Sending failure: $(basename "$file").gpg"
            fi
        else
            echo "Encryption failure: $file"
        fi
    fi
done

echo "Processing completed."

• Decryption Script: Create a second script on Server 1 to automatically decrypt files received from Server 2.

#!/bin/bash

# Directory containing .gpg files
directory="/path/to/files_encrypted"

# Output directory for decrypted files
output_directory="/path/to/files_decrypted"

# Create the output directory if it does not exist
mkdir -p "$output_directory"

# Loop over each .gpg file in the directory
for file in "$directory"/*.gpg; do
    # Extract the base name without the .gpg extension
    base_name=$(basename "$file" .gpg)

    # Decrypt the file
    gpg --yes --decrypt --output "$output_directory/$base_name" "$file"

    # Check if the decryption was successful
    if [ $? -eq 0 ]; then
        echo "Decryption successful: $file"
    else
        echo "Decryption failure: $file"
    fi
done

echo "Processing completed."

Conclusion

This project demonstrated the effectiveness of GPG encryption combined with SSH to secure file transfers between servers. The objectives were achieved, and the system put in place significantly contributes to the security of the company’s data infrastructure.