Protecting Your Data in the Cloud: Using GnuPG for File Encryption on OS X

Storing files in the cloud is easy and very convenient, but it comes with inherent dangers. The biggest danger of storing data in the cloud is the fact that you cannot control the manner in which it is stored. This means that you have no control over the countermeasures employed to prevent unauthorized access to or modification of your data. While cloud storage companies may make claims about their security measures, there is no way for the average consumer to have a measure of absolute assurance that these security measures are in place. For this reason, it is important that you implement your own countermeasures for any sensitive data you choose to put in cloud storage.

When most people think of protecting data, they think of encrypting it. There are some easy and automated ways to encrypt data for storage in the cloud, but in this post I will be examining one method of encrypting individual files that is a little more manual but very effective and based on open standards. Specifically, the PGP standard will be used, as implemented in various GnuPG packages.

Encrypting Files on OS X Using GnuPG

  1. Go to the downloads section and follow the link to the Mac GPG binary release.
  2. Download and install the latest GPG Suite. For this post I downloaded the Yosemite Beta, so I apologize if any of the functionality is different for previous versions of OS X.
  3. Following the installation, open GPG Keychain Access. This is an easy GUI-based control panel for managing keys.
  4. Click "New" in the upper left corner of the window. In the resulting panel, fill in your name and email address. If you would like to encrypt email through the Mail app on OS X, make sure your email address in this panel exactly matches how the email address is setup in the Mail app settings, including case sensitivity. In "Advanced options," the default key type is fine but ensure that the key length is 2048 bits at minimum. 4096 bit keys are the strongest you can create, if you would like, and devices are now so powerful that this should not create any significant load.
  5. Once these options have been selected, click Generate Key. Enter a passphrase for the key. If you forget this passphrase, it cannot be retrieved and you will lose the ability to use the key.
  6. Now that a public/private key pair has been created, you can use this to encrypt and decrypt files. In order to encrypt a file on OS X, right-click on a file, go to Services, and click "OpenPGP: Encrypt File."
  7. In the "Choose Recipients" window, select the Secret Key you just created and make sure the "Add to Recipients" box is selected. Click OK and enter the passphrase for the key.
  8. The resulting encrypted file will have a ".gpg" extension. This file can then be uploaded to a cloud service for storage. The original unencrypted file will remain in the filesystem, so it is up to you whether or not you want to keep that file.
  9. The .gpg file can be unencrypted by right-clicking, going to Services, and clicking "OpenPGP: Decrypt File."

The key to using this method for encrypting files for cloud storage is ensuring that the file never exists in the cloud unencrypted. This is simple to do when only using the web client because you can just choose to upload and download the .GPG file. However, when using a local sync client, it is very easy to accidentally upload an unencrypted file to the cloud service because the files encrypt and decrypt in the same folder. Therefore, you must take some precautions when using this method with a local sync client. Make sure that only the encrypted version of the file ever exists in the sync folder. This will involve a good amount of copying and pasting, but it is necessary when using this method to encrypt sensitive data in cloud storage.