PROTECTONS OUR FILE WITH GPG WINDOWS

Simple to use, simple to deploy, simple to manage, possible to control are our currencies at Lybero.net for our products. Our focus is on data exchange protection, not postal data protection.

This does not prevent the protection of stations by encryption. There are two separate levels to protect information in different contexts. The basic level is the encryption of partitions. Operating systems have been offering this option for a long time, and it is recommended to use it. However, when your post works, if an attacker gets access, it can recover the data that is decrypted during that time. Encrypting files individually helps to avoid this.

If one thinks in the terms of the General Data Protection Regulations, Article 25 (Data Protection from the Design and Protection of Data by Default) states that “…these measures ensure that, by default, data of a nature personnel are not made accessible to an unspecified number of individuals without the intervention of the individual concerned.”

In technical terms, this can have no other meaning than: any personal data, any file containing personal information must be encrypted with one or more associate officials with the ability to give access to it voluntary. In particular, system administrators should not have access to personal information, including through backups.

The only way to do this is by encrypting files. There are many ways to do this, but let’s start by using a universal gpg encryption tool.

Individual file encryption under linux

I’ve been working for over 20 years on a linux position. In 2008, I really started to worry about security issues. For reasons of diversity of the operating system, linux posts are less likely to fall victim to viruses, however, a determined attacker can always target a post. What worried me most was the multiplicity of passwords I had to manage. I was looking for a simple way to store them, in an encrypted way. So I created 2 aliases (commands available via the command line) pe and pv: pe is password edition and pv is password view.

I knew there were programs all done, but I like to control with simple solutions. These aliases are:


alias pv='pushd ~/Documents/password;make view;reset;popd'
alias pe='pushd ~/Documents/password;make edit;reset;popd'

pushd allows you to change your repertoire by memorizing the path you were originally where you were. popd allows you to go back to that original repertoire. Between the two, I launch the programs via make.

And the corresponding Makefile:


# example Makefile for viewing/editing an encrypted file
GPGID = <mon.adresse@mondomaine.com>
FILEPLAIN = index.txt.clear
FILECRYPT = index.txt

GPG = gpg
RM = /bin/rm -i
VI = vim

edit:
@umask 0077;\
$(GPG) --output $(FILEPLAIN) --decrypt $(FILECRYPT)
# No backup in vim !!!
@$(VI) -c "set nobk" $(FILEPLAIN)
@umask 0077;\
mv $(FILECRYPT) `date +%F-%R`-$(FILECRYPT)
$(GPG) --output $(FILECRYPT) --encrypt --recipient "$(GPGID)" $(FILEPLAIN)
@$(RM) $(FILEPLAIN)

view:
@umask 0077; $(GPG) --decrypt $(FILECRYPT) | less

When I type pv, a window asks me the password protection of my gpg key for mon.adresse@mondomaine.com, and then I see my complete file in which I can do a search via the usual vim commands. It’s clearly a geek solution. But it’s very convenient. A new password: pe, go to the end of the file, add the password, save, get out. And the previous file is backed up with the date. The use of pv is: pv, search, copied pasted, and hop. I use vim, but everyone can use the editor of their choice.

I shared the following discovered keepassX and now I use both solutions.

From there, it seemed necessary to have encryption/decryption commands for my files with my pgp key. So now I have a crypt command and a decrypt command (okay, it’s in English). “crypt nom_de_fichier,” encrypts the file in nom_de_fichier.crypto and “decrypt nom_de_fichier.crypto” decrypts the file for myself.

As much as these solutions seem practical for someone who is not afraid of the command line under linux, as much as they are totally impractical for a user under windows.

Data encryption in windows

So I searched for an equivalent under windows. What I wanted was to have just 2 commands, one to encrypt and another to decipher in the menu associated with each file in the windows file explorer. If you install gpg4win [https://www .gpg4win.org /], you have a “Sign and Encrypt” command that opens a graphical interface allowing you to sign and/or encrypt for the default user or someone else. That’s good, but in my opinion, there’s a window with extra choices. The decryption is it very well, you make a right click on a .pgp file and the file is decrypted. Cons, the .pgp file remains in addition to the decrypted file.

It’s almost perfect, but I wanted something even simpler. Just click-right Encrypt and for the files .pgp click-right decipher, enter the pass-phrase and that’s it. Well, after a few (ok, a lot) tries, it works.

To have an action on a right click in the file explorer, simply add via the registry editor regedit entries. You’ll find plenty of tutorials on how to edit registry entries. So I added 2 elements in the windows registry:

  • HKEY_CLASSES_ROOT> -> shell> – Crypt for me
  • HKEY_CLASSES_ROOT> -> shell> – Decrypt for me

In “Crypt for me”, I created a command sub-entry, with as a key (default): cmd /c gpg -output “1.gpg” – encrypt -recipient “mon.adresse@mondomaine.com” “1” and del “1”

This command requires a little explanation. cmd starts a “terminal” command.com, /c indicates that after the execution of the next order, the “terminal” closes. Then we find the gpg command. The 1 is replaced by the name of the file on which a right click has been made. It says that we want to encrypt for even. It is at the creation of the key that you indicate the email and the associated person. There is a graphics tool for managing windows keys called Kleopatra, you can generate a new bi-key by choosing the encryption/signature algorithm. Then you have a list of the different keys available. So I indicate that I want to encrypt the file by adding the .gpg extension after. Indicates that there is a command that will be executed afterwards and that is to delete the original file. This command is only executed if the previous command has run without error.

It is possible to use the crypt_for_me.reg file below to directly create the command in regedit.


Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\*\shell\Crypt for me]
[HKEY_CLASSES_ROOT\*\shell\Crypt for me\command]
@="cmd /c gpg --output \"%1.gpg\" --encrypt --recipient \"<mon.adresse@mondomaine.com>\" \"%1\" && del \"%1\""

And for Decrypt for me, likewise, a command sub-entry, with as key (default): cmd /c gpg -use-embedded-filename “1”


Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\*\shell\Decrypt for me]
[HKEY_CLASSES_ROOT\*\shell\Decrypt for me\command]
@="cmd /c gpg --use-embedded-filename \"%1\" && del \"%1\""

Now you have an encryption solution for your windows files and you simply want to comply with the RGPD. My next point is not to explain how to then move across a business scale, but we will come back to that by explaining how to manage the keys across the organization.