Using GPG keys for decrypting and encrypting files

Here are some preliminary instructions for creating and using GPG keys with datasets available via the Language Bank of Finland.

GPG is short for GnuPG, The GNU Privacy Guard.

Why would you need encryption keys?

You may be asked for your public GPG key in the Language Bank Rights system when applying for access to a downloadable resource that includes confidential or sensitive data. This requirement only applies to specific datasets for which additional safeguards are needed. In order to complete your LBR application for such a resource, you need to know how to export your public key in ASCII format.

Please bear in mind that data encryption is only one of the mechanisms you can use for protecting confidential information. Encryption only helps during data transfer and storage. Before decrypting the data in order to use it for your research, you must make sure you have other safeguards in place. For larger projects with several participants who need secure access to the data, you might wish to consider using the SD platform at CSC, for example.

Naturally, you can also use GPG keys for sending and receiving encrypted email and other files, or for encrypting your own confidential data for safer storage and transfer.

We currently provide some instructions for command-line use only. There are also graphical user interfaces for managing your keys in Windows (e.g., Gpg4win) and OSX (e.g., GPGSuite).

Asymmetric cryptography

Each key consists of two parts:

  • a public key that other people use (you give it away)
  • a private key that only the owner uses (your secret)

The Language Bank uses your public key to encrypt a package for you. Only you can then decrypt the package.

Your keys are stored in a keyring where your secrets are protected by a passphrase (i.e., a strong password, consisting of sufficiently many, i.e., no less than 14 characters, including letters, numbers and some special characters, for instance).

  • You should know the passphrase that protects your secret keys.
  • Nobody else should know your passphrase.

If someone has access to your keyring files and is sufficiently determined, they can ”brute-force” your passphrase.

  • Keep your keyring files to yourself.
  • Use a non-trivial passphrase that is hard to brute-force.
  • Do not use the same passphrase for any other purpose.

Do not forget your passphrase! Without your passphrase, you cannot access your own private key. Without your private key, even you cannot decrypt the package!

How to export your public key

If you already have your own key pair, and you have assigned it the identifier ”Kaino Tutkia (esim.) <katutkia@example.fi>”, the following command should create a keyfile, which can be uploaded  to Language Bank Rights. For technical reasons the extension needs to be .txt.

$ gpg --export --armour --output=katutkia_gpg.txt 'Tutkia (esim.)'

This command should not prompt for your passphrase. It exports only your public key, which is not a secret.

With the armour option, the file contains a block of printable ASCII characters that is safe to view but not very informative. If you are curious, the following command gives an informative (though naturally highly technical) synopsis of its contents.

$ gpg --list-packets katutkia_gpg.txt

How to create your key

If you are not already using gpg (GnuPG), but are otherwise using the command line environment and have gpg installed, you can start by
creating a key. If you wish, you can create more than one key. Be prepared to provide a passphrase that protects your secrets.

$ gpg --quick-generate-key 'Kaino Tutkia (esim.) <katutkia@example.fi>'

It is a useful convention to include your email address between the ”angle brackets” and other identifying information before them. In case you are going to use this key in order to ask the Language Bank to encrypt a research dataset that is to be accessed by you, you should include your official email address at your home institution.

The command should prompt for your passhprase to protect the secret components of the new key. Be prepared for this.

The command should use a default encryption algorithm. This may be a longish RSA cipher like rsa3072, or some newer and stronger cipher. You can provide another argument to select another key algorithm.

The command should create certain default key components, notably an encryption key, which in this discussion is the public key. A further
argument can be used to specify something else. Components can also be added afterwards.

The key generation process uses unpredictable input from your computer. If a sufficient amount is not already available, you may
need to move your mouse pointer around for a little while.

Key management

You can use the following command to see that your key really is in your keyring. This command does not list any secret components and will not prompt for your passphrase.

$ gpg --list-keys

The listing may contain other keys if this is not the only key in your keyring. You may have in your keyring other keys that you own, and you may import public keys of other people.

To only see your specific key, provide some text that matches your identifier but not any other key in your keyring.

$ gpg --list-keys '(esim.)'

You can also provide the fingerprint of the specific key, as shown in the listing.

How to decrypt the file that was encrypted with your public key

$ gpg --decrypt --output=paketti.zip paketti.zip.gpg

 


This page has a persistent identifier: http://urn.fi/urn:nbn:fi:lb-2023052321

Hae Kielipankki-portaalista:
Harri Uusitalo
Kuukauden tutkija: Harri Uusitalo

 

Tulevat tapahtumat


Yhteystiedot

Kielipankin tekninen ylläpito:
kielipankki (ät) csc.fi
p. 09 4572001

Aineistoihin ja muuhun sisältöön liittyvät asiat:
fin-clarin (ät) helsinki.fi
p. 029 4129317

Tarkemmat yhteystiedot