PGP Decryption Lambda

What is PGP Lambda

PGP Lambda is an automated post-processing decryption of PGP encrypted file that are uploaded to a source cloud storage location in AWS, Azure, and GCP(WIP).

How it works

When files are uploaded to the source cloud storage location an events is used to trigger the PGP lambda to pull in the file, decrypt it, and place it into a done target cloud storage location.

Instructions for Use and Deployment

Requirements

• Python 3.9 installed
• Pipenv installed
  • pip install pipenv
• AWS requirements
• Azure requirements
• GCP requirements

Environment setup

1. run pipenv install -r src/provider/requirements.txt
2. run pipenv lock && pipenv sync

Updating python version

1. Update required:python_version in Pipfile to "3.9"
2. run pipenv install --python=python3.9

Updating dependencies

To unpin dependencies and allow them to be updated

1. modify dependency version in pipfile from ==x.x.x to >=x.x.x
2. run pipenv update

To pin dependencies into a non-updatable state

1. run pipenv run freeze > src/requirements.txt
2. run pipenv install -r src/requriement.txt

Shared Module

All cloud providers use the src/main/res/ module and its contents for pgp decryption. Before deploying to any cloud provider you should copy the contents of the res directory into the provider specific res directory.

Runtime Environment Variables

LOG_LEVEL:
    Allowed Values: [ CRITICAL | ERROR | WARNING | INFO | DEBUG | NOTSET ]
    Description: "(Optional) Set log level if desired."
    Default: INFO
    Type: String
PGP_PASSPHRASE:
    Type: String
    Description: "(Optional) Set PGP Key passphrase if applicable "
    Default: None
PGP_KEY_LOCATION:
    Type: String
    Description: "Cloud storage location where the PGP private key is located"
PGP_KEY_NAME:
    Type: String
    Description: "Name of the PGP private key"
DECRYPTED_DONE_LOCATION:
    Type: String
    Description: "Cloud storage location where files will land lambda decryption"
ARCHIVE:
    Type: String
    Default: ""
    Descritption: "(Optional) Archive folder path. If supplied, files that have already been decrypted will be moved into the provided archive folder in the source storage location"
ERROR:
    Type: String
    Default: ""
    Descritption: "(Optional) Error folder path. If supplied, files that encounter an error while decrypting will be moved into the provided error folder in the source storage location"

GPG Basics

Keys

PGP uses a public private key pair for encrypting and decrypting file.

To generate a new PGP key on Mac, use the following command:

gpg --gen-key

This will open an interactive generation script that will ask you a number of questions.

To export a public key for use in the encryption process use the command:

gpg --export -a username > public.key

Once a public key is sent to the user they will have to import that key into their GPG keyring

To import a public key use the command:

gpg --import public.key

An ASC file is an Armored ASCII file that is generated as plain ASCII text.

To create an ASC file to be used in the decryption process use the command:

gpg --export-secret-key -a username > private.asc

Encryption

The file will be encrypted by the sending user with the receiving user's public key.

To encrypt a file use the command:

gpg -e -u "sender_username" -r "receiver_username" file_to_be_encrypted

Decryption

When the file arrives in the S3 bucket, a put event is triggered if the file has a .gpg or .pgp extension. The event will fire the pgplambda that will download a temporary copy of the file from the file bucket and the key from the key bucket, decrypt the file, and move it to a ready folder inside of S3.

Manually decrypt data

gpg -d filename.extension.gpg