How you can send us confidential data securely

If you want to exchange files with us that require special protection, you can do this in various ways. This article describes two of them: PGP / GPG or a sharing service.

September 4th, 2024
Lifeguard

If you want to exchange files with us that require special protection, you can do this in two ways:

as a download link or ticket attachment, encrypted with PGP / GPG
via a sharing service of your choice, e.g. 1Password or another secure service.

The second option is particularly suitable for smaller files. If the files are larger and you want to share or send them via an otherwise untrusted channel, GPG encryption is suitable.

Encrypted files via PGP / GPG

Exchanging files (or emails) with PGP encryption is even more secure if you pay attention to a few points. It is important that you understand the basic principle of this ‘Public / Private Key’ process. PGP stands for ‘Pretty Good Privacy’ and is originally a commercial software that enables encryption. GPG or GnuPG stands for ‘GNU Privacy Guard’ and is the free version of the same process

The basic idea is as follows: People can send encrypted information to each other without ever having to exchange a password or secret certificate.

Your GPG identity is based on a key pair: a public key and a private key. You can give the public key to anyone at any time and make it available in public places. You must never pass on the private key, not even to colleagues or to us, and you should keep and secure it particularly well.
To encrypt information (files, emails, etc.), you only need the recipient's public key. You do not need your own key pair for encryption. If you also want to sign the information (so that we can check that the information is really from you), you use your private key for this.
Information is always encrypted specifically for one or more recipients - so there is no master password that you can send to someone so that they can decrypt the information. In order to decrypt information, the recipient needs the private key from the key pair for whose public key the information was encrypted.

A small digression: We at Flownative take security very seriously and have securely stored our private GPG keys (as well as those for SSH) in a so-called ‘security token’. The token we use is called ‘YubiKey’ and looks like a USB stick with a button. It contains a chip that can store private keys and never releases them to the computer, even when signing and decrypting. The YubiKey is also protected with a PIN. Similar to a SIM card for mobile phones, the YubiKey deletes all information if the PIN is entered incorrectly several times. Further information on this topic can be found at https://www.yubico.com/products/ or https://en.wikipedia.org/wiki/OpenPGP_card.

It is worth taking a moment to familiarise yourself with GPG. This tutorial provides a good start: https://www.digitalocean.com/community/tutorials/how-to-use-gpg-to-encrypt-and-sign-messages

Specifically: Encrypt files via GPG and send them to Flownative

Requirements:

you have installed the GPG tools on your computer
you have created your own key pair (please choose a key size of 4096 bits or better)
you have the option of providing us with files via a public or password-protected server (web server, Google Drive, Dropbox, etc.)

First get the recipient's public key. This can be a personal key from someone in the Flownative team or our public key for ‘backoffice@flownative.com’. Under the following links you will find public keys from our team, but you should use an additional channel (e.g. telephone) to make sure that these are really our keys.

https://keybase.io/robertlemke/pgp_keys.asc (Robert)
https://keybase.io/kdambekalns/pgp_keys.asc (Karsten)
https://keybase.io/kitsunet/pgp_keys.asc (Christian)

Import the key of your choice with GPG. With the command line tool it works like this:

gpg --import pgp_keys.asc

You can then encrypt a file and sign it at the same time:

gpg --encrypt --sign --recipient robert@flownative.com --output Katzenbild.png.gpg Katzenbild.png

The encrypted file Katzenbild.png.gpg can then only be decrypted by Robert (not even by you).You can also encrypt a file so that several recipients can decrypt it:

gpg --encrypt --sign --recipient robert@flownative.com --recipient karsten@flownative.com --output Katzenbild.png.gpg Katzenbild.png

You can upload the encrypted file to a server without any problems (Dropbox or similar are also no problem), because it is encrypted. Then send us a link with which we can access the file.