Fetching GPG private key from Linux server to decrypt files on a Win 10 computer in production

Question

I have a need to fetch automatically the GPG private key from a Linux server to decrypt files on a Windows 10 computer in production.

There are a few challenges here:

How to assure SCP from the Windows 10 to the Linux server that not everybody who operates on the machine can perform this task?
Where to store the private key to decrypt the material? I don't want the private key to be stolen by anybody. I thought about a script which fetches the key, imports it to a temporary GPG keystore, decrypts it and then deletes the keystore securely. But that is far beyond from security as everybody who has a bit of knowledge on batch scripting can fetch the key anyway (see for point 1).

Anybody an idea for a secure design how to handle this?

Why can't the Windows 10 computer have its own GPG keypair, restricted to whatever user is supposed to use it? — multithr3at3d, Apr 06 '20 at 01:59
Unfortunately that cannot be done from an organization point of view. — Ferit, Apr 06 '20 at 20:40

score 1 · Answer 1 · answered Apr 30 '21 at 17:16

You could send Linux the encrypted server, have it decrypt the file and return the cleartext.

This would work like a HSM: the key never leaves the server, and cryptographic operations (encrypt, decrypt, or sign) are executed inside it.

As Aayush said, it's possible to use curl on Windows to send the file to Linux, have a service on Linux using its own private key, decrypt the file and send it back to Windows. There are countless frameworks and languages to do so, and there are lots of ways to ask for authentication and authorization.

The challenge changes a bit now. Instead of caring about the private key not being leaked, you have to protect this service from unauthorized access. Linux can use your ActiveDirectory infrastructure to authenticate the user, and the decryption service can use that information.

score 0 · Answer 2 · answered Apr 05 '20 at 12:40

0

windows 10 also supports curl, so the following command can also be used:-

curl scp://example.com/file.zip -u user:password

If you create a scheduled task to fetch key and place it in the windows administrator profile and another task that signs any file with that key you should be secure.

Unless the users run mimikatz or other memory dumping tools or have local administrator access.

answered Apr 05 '20 at 12:40

Aayush

557
6
17

I think I didn't understand your solution. The production client with Win 10 runs without admin rights and the production shift supervisor will most likely operate on this PC. What does he do? Will he curl the command and fetch the key? But then he can't put it to the admin account. Or does the admin fetch the key - but then how does the account of the shift leader gets access to the secure directory without compromising (e.g., sharing the key to somebody others) the private key? Can you elaborate your answer a bite more in detail who does what in which directory with which command? Thank you. – Ferit Apr 05 '20 at 15:03

Fetching GPG private key from Linux server to decrypt files on a Win 10 computer in production

2 Answers2