Eg.: I have a file mycode.py which contains 2 secrets
myfakesecret : "ANSAJHSAKDKDMKADKAMCKSMKSMCKSCC"
MyOriginalSecret: "H%&&^DBSHDBHBBBS%^&&&DSD2343"
I want to ignore myfakesecret but not MyOriginalSecret in truffleHog scan.
If I use --exclude_paths exclude-patterns.txt where exclude-patterns.txt contains mycode.py then truffle hog scan will ignore both secrets.
Can I specify a secret hash or name or any other way to exclude secret not complete file so that it should ignore a particular secret?
Ideally, your code does not include the sensitive secret at all.
That way, truffleHog scan has nothing to ignore/exclude.
mycode.py should read that secret from a file/source outside the repository, at runtime (when you are executing the program.
Suppose you want to distribute a file foo along with its detached signature foo.sig and your public key public.key.
Suppose further you want to make signature verification as easy as possible, i.e. in the minimum number of steps: just one command. Ideally something like
gpg2 [magic option combo here involving foo, foo.sig, public.key]
I've read the gpg2 man page up and down a few times, but it seems the receiver needs to first import the public key to his key ring.
Is there a way to avoid importing the public key and specify it explicitly? I would like to avoid the receiver being spammed with a newly created $HOME/.gnupg directory and its contents.
Or am I trying something stupid from a security point of view?
Use gpgv instead, which you can pass a keyring file (a single exported key also accounts as a keyring). If no slash is contained in the keyring path, gpgv will search in the GnuPG home directory, so either pass an absolute path or at least include ./ to denote the current working directory if no slash would be involved otherwise:
# Create and sign file
echo foo >foo.txt
gpg --local-user a4ff2279 --sign foo.txt
# Create "keyring" / export key
gpg --export a4ff2279 >a4ff2279.gpg
# Verify using gpgv
gpgv --keyring ./a4ff2279.gpg foo.txt.gpg
Finally, the only difference between importing and not importing the key is whether how the key is verified. There is no verification through the web of trust, certifications and local trust if you don't import the key, if the only way to verify the key is "downloading it from a trusted source", not importing it is totally fine. If you just fetch file, signature and key from an untrusted web server without encrypted connection and certificate, the OpenPGP signature is degraded to a simple checksum to realize transmission errors, not attacks providing faked files, signatures and keys.
I am working on a perforce client plug-in and need help to get the changed line numbers. I have been able to get the change list and all the files are available locally.
Since it is a custom convenience tool, I can't ask for passwords for this operation.
I tried the approach to run P4Command with "Diff" command but it fails with exception "P4Command requires a P4Server". Creating a P4Server object needs user password. I was using following constructor.
public P4Command(
Repository repository,
string command,
bool taggedOutput,
params string[] arguments
)
Is there any other approach available to solve this problem? Thanks!
i am new to PGP and want to implement encryption/decryption in one requirement. i googled it and decided to use Boynce Castle algo. But when i am trying to understand it, i confused at how i will get the .pkr and .skr files. i just downloaded required jars and program and when tried to run it shows me file not found. i was not aware so by myself i created .pkr and .skr files (converting from .txt) but i think it should be in some format and that should generated by some mechanism. can some explain me about this? How i can proceed.. ?
If you have PGP Desktop installed on the same Windows computer as the PGP Command Line, and you installed PGP Desktop to the default directory, then PGP Command Line will automatically locate and use your existing keyrings. If you are not using PGP Keyrings from a PGP Desktop product, you will need to create blank keyring files. To do so open a command prompt and type the following command:
pgp --create-keyrings
This will create a pubring.pkr (public keyring) and secring.skr (private keyring) file in the default keyring location. For Windows this is in the My Documents>PGP folder. This article will use [ ] to identify information that you will need to enter that is specific to your individual keys.
After that, you will need to create a key pair. To create a key pair using PGP Command Line follow these steps:
On the command line, enter:
pgp --gen-key [user ID] --key-type [key type] --bits [bits #] --passphrase [passphrase]
NOTE: Any information that contains spaces must be contained inside quotation marks.
Example: The following example will show you how to create a 2048 Bit RSA key for Joe User, an employee of ACME Corp, with the passphrase "my passphrase".
pgp --gen-key "Joe User" --key-type RSA --bits 2048 --passphrase "my passphrase"
PGP Command line will now generate your keypair. You should see your Key ID (i.e. 0X12345678), and a message that the key was successfully generated.
NOTE: To display your new keypair enter the following command:
pgp --list-keys
This will display all the keys that are found on your keyring.
After the key pair is generated and identified, it is important to export the public portion (public key) of the key pair so others can import your public key and encrypt to you. NOTES: Once you have exported your public key to a file, it is easy to distribute. You can attach it to an email, paste the public key block text into the body of an email message (open with Notepad), or copy to a CD, for example. To export your public key you will need to have information about the key in order to identify it, which will be referred to in this document as (input). You can use the key ID (i.e. 0x12345678), user ID (i.e. "Joe User"), or a portion of the user ID, (i.e. Joe). To export the key, do the following:
pgp --export (input)
PGP Command Line responds by exporting keys as ASCII armor (.asc) files into the directory currently active on the command line.
The following examples will show you how to export your public key using your key ID and user ID.
pgp --export 0x12345678
pgp --export "Joe User"
You may import a public key from an ASCII Armor file (.asc) or from a text file, the process is the same for both. The file containing the key(s) to be imported must be in the current directory. As with exporting a key, this will be referred to as (input) in the examples. Both public and private keys will be imported if they exist in the file. If a key being imported already exists in the local keyring, the keys are merged. Import Key From File:
pgp --import (input)
PGP Command Line responds as follows: Joe User.asc:import key {0:key imported as 0x12345678 Joe User}
The following examples will show you how to import a key from an ASCII Armor file (.asc) and from a text file containing the PGP key block.
pgp --import "Joe User.asc"
pgp --import "PGP Joe.txt"
Those files are public and private (secret in OpenPGP terminology) keyrings respectively. They contain collections of public and private keys. You usually generate a keypair (a pair of public and private key) or several keypairs for your own use, and other people do the same. Then they can give you their public keys and you create a public keyring from those keys. Public keyring is then used to encrypt data for recipients or to verify other people's daa signatures.
Private keyring is composed from your private keys which you generate. You use private keyring for signing your data, and you can give corresponding public keys to other people so that they could encrypt data for you (which you then decrypt using your private keys).
I believe BouncyCastle has key generation functions, or you can use GnuPG application or PGP Desktop to generate keys.
You can check the examples for OpenPGP key generation that ship with the BouncyCastle library.
They are located at :
[bouncy castle sources]\src\org\bouncycastle\openpgp\examples\RSAKeyPairGenerator.java
[bouncy castle sources]\src\org\bouncycastle\openpgp\examples\DSAElGamalKeyRingGenerator.java
Example code that uses the keys can be found at:
[bouncy castle sources]\src\org\bouncycastle\openpgp\examples\KeyBasedFileProcessor.java
I need to write code that picks up PGP-encrypted files from an FTP location and processes them. The files will be encrypted with my public key (not that I have one yet). Obviously, I need a PGP library that I can use from within Microsoft Access. Can you recommend one that is easy to use?
I'm looking for something that doesn't require a huge amount of PKI knowledge. Ideally, something that will easily generate the one-off private/public key pair, and then have a simple routine for decryption.
A command line solution is good. If your database is an internal application, not to be redistributed, I can recommend Gnu Privacy Guard. This command-line based tool will allow you to do anything that you need to with regard to the OpenPGP standard.
Within Access, you can use the Shell() command in a Macro like this:
Public Sub DecryptFile(ByVal FileName As String)
Dim strCommand As String
strCommand = "C:\Program Files\GNU\GnuPG\gpg.exe " _
& "--batch --passphrase ""My PassPhrase that I used""" & FileName
Shell strCommand, vbNormalFocus
End Sub
This will run the command-line tool to decrypt the file. This syntax uses a plaintext version of your secret passphrase. This is not the most secure solution, but is acceptable if your database is internal and only used by trusted personnel. GnuPG supports other techniques to secure the passphrase.
PGP has a commandline option for decrypting files.
We have a batchfile that does the decryption, passing in the filename to be decrypted:
Batch file:
"C:\Program Files\Network Associates\PGPNT\pgp" +FORCE %1 -z *password*
We than call that from a VBS:
Command = "decrypt.bat """ & FolderName & FileName & """"
'Executes the command script.
Set objShell = WScript.CreateObject ("WSCript.shell")
Command = "cmd /c " & Command
objShell.run Command, 1, True
Hope that points you in a useful direction.
You can use OpenPGPBlackbox (ActiveX edition) for this
Stu... I once had to write a "Secure SMTP" server in Java... The easiest, and quickest way to do this is to download and/or purchase PGP. They have an SDK that you can use to access in anything you want.
I'd have to go back and see if I had to write a COM wrapper, or if they already had one. (I wrote this SMTP server about 10 years ago). Anyways, don't get discouraged. About 5 years ago, I wrote an entire PGP based application (based on the openPGP RFC) in C++, but the catch was, I was NOT allowed to use any existing libraries. So I had to write all that stuff myself. And, I used GPG, OpenPGP, and PGP for testing, etc....
So, I could even provide help for you on how to decode this stuff in VBA. It's not impossible, (it may be slow as hell, but not impossible), and I'm NOT one to "shell out and run cmdline stuff to do work like this for you, as it will open you up to some SERIOUS security risks, as hurcane's suggestion (for example) will cause your passphrase to be displayed to tools like ProcExp). The first step is learning how PKE works, etc. Then, the steps you need to do to get what you want.
This is something I'd be interested in helping with since I'm always one to write code that everyone says can't be done. :) Plus, I own the source code of the app I wrote, because of of mergers, closures, etc...
It was originally written for the Oil and Gas industry, so I know it's secure. That's not to say I don't have ANY security flaws in the code, but I think it's stable. I know I have an issue with my Chinese Remainder Threory code.. For some reason when I use that short-cut, I can't decode the data correctly, but if I use the RSA "long way" it works...
Now, this application was never fully finished, so I don't support things like DSA Key-pairs, but I do support RSA key pairs, with SHA1, MD5, using IDEA, AES, (I THINK my 3DES code does not work correctly, but I may have fixed that since). I didn't implement compression yet, etc... But, I'd love a reason to go back and work on this code again.
I /COULD/ make you a COM object that you could call from VBA passing the original Base64 data in, along with the Base64 key data, (or a pointer to a key file on disk), and a passpsshrase to decode files....
Think about it... Let me know..
Over the years, I have collected vbScript code for doing things like MD5, SHA1, IDEA, and other crypto routines, but I didn't write them. Hell, you could probably just interface with Microsoft's CryptoAPI, and break each action down to it's core parts and still get it to work. (You will not find a Micosoft CryptoAPI call like "DecryptPGP()"... It'd all have to be done in chunks).
Lemme know if I can help.
I would look for a command line encrypter / decrypter and just call the exe from within your Access application, with the right parameters.
There is no PGP encrypter / decrypter in VBA that I know of.
I am not familiar with VBA for Access, but i think that the best solution (perhaps easiest) would be run external command-line PGP utility.
There is a DLL you can call directly from your VBA application without having to span an external program: CryptoCX. PGP has also a DLL you can call.