Skip to content

Encryption

In Evergiving, encryption is used to protect sensitive data during export. To ensure that only authorized users can access this information, we use GPG (GNU Privacy Guard) encryption. This guide explains the basics of encryption, how GPG works, and best practices for securely managing your encryption keys.

What is Encryption?

Encryption is the process of converting data into a format that cannot be read by anyone except the intended recipient. It ensures the security and confidentiality of sensitive information, such as donor data, by making it inaccessible to unauthorized parties.

Types of Encryption

There are two main types of encryption:

  1. Symmetric Encryption: A single key is used for both encryption and decryption.
  2. Asymmetric Encryption: Uses two keys—a public key to encrypt the data and a private key to decrypt it. Evergiving uses asymmetric encryption powered by GPG/PGP for securing data exports.

How Asymmetric Encryption Works

Let’s use a simple analogy to explain asymmetric encryption:

Imagine Alice wants to send a secure postcard to Bob, without anyone else reading it. Bob gives Alice a locked box (public key) and keeps the key (private key). Alice places her message in the box, locks it, and sends it. Only Bob, who has the private key, can unlock the box and read the message.

In the same way, when you export data from Evergiving, it’s encrypted with a public key. Only someone with the corresponding private key can decrypt and access the data.

GPG/PGP: Public and Private Keys

GPG (GNU Privacy Guard) and PGP (Pretty Good Privacy) are encryption systems that use this method of key pairs to secure data.

  • Public Key: Used to encrypt data and can be shared publicly.
  • Private Key: Used to decrypt data and must be kept secure and confidential.

Here’s an example of a public key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)
Comment: GPGTOOLS - http://gpgtools.org

mQENBE+OHyEBCACjQxzmm8+gqyOrD2qr1Xh6WirGv0heCz7rdUzU6SZ5uIPgU+vz
aRc+8D+WGdNzzaL6XW1heZsuR+5YWfKX6uzZtM3yTlPdvroWBTSR5FFvjRQLCHpk
0xIO8xWdLyjHICtGVVRa4GlKGSWT6BCUAyqu77k+mAxIKFSEgTiiaJG0r4Qb3027
G+4JpNcQGh0N1Keapvqbce5OMjLvbsmjLJ0v6qbkGJdAii06ae2NLiemFhmXCadA
wLh/oCtMLPxkyw91mj5Zok/+GjFQXlqe1TeeDw05m9NjVCkBAGgXn8WqRYYtiheb
s2cjtDHbE1RrISIuRXGY7qHhR5cWSFzji0Q7ABEBAAG0H0RhdmlkIEhpbGwgPGRy
aEBmaXJldGhvcm5lLmNvbT6JAUEEEwECACsCGy8FCQeGH4AGCwkIBwMCBhUIAgkK
CwQWAgMBAh4BAheABQJSFES2AhkBAAoJEP2sJdebPgyX1oQH/iWjcC8sFvvRbk6r
5qZ5AJMtYeuCFFgt8fWKpIStgwbTTM5LKpomsb4HaNegsvp8AOcZuDZs333B3IBV
Bb89086HZ8ZzmmYUix/OFCBO5gf9SRFpvvQ/8dHqVp28jFzeq9VtiboCcLlww1z/
BEG5iDhFL87o7WBWhZQUghdvaFFDZggm3zx50ezUYi9oLA+w85DO/zrv/JA3Ftbs
Lt5omMu2bWR1aAQE+fTncRORxtJEDdreGfrrlm4z65rYKYnUHzqZhr1aBSyeJ6jF
6F0gMiYVHBcJLCTVYaSe1rYdK+/K6y1ZoKrulE9ETRaTex6A+NgAeviDm6ZOCyTY
1XzHxDG5AQ0ET44fIQEIAMl7jtwvmVrLa4ILLo8Iz4Fhq4MnHfexA5ZGe9/LiN/R
RGENzqcju/qecdsXmZQzdQUeth75jdBWWfOpTkNujvMSSvNXMB4nQWuCnzdVHcMZ
2DRIfJF2m9nAB3rAuIX+uAFUQRYAkiyXvaEEZ8QglX9D+Ig6koR7Q8E5pxBcLrn7
t/G64sERwNsp+u0wdmGoEJbFKAQ5CugziYVog+BUW7jvP+KOVBJXKxBPLBUAYIfW
UseskaM8TZrWdWZ3F27yXf4cWaRlC2Rq33ZRfj8LEV3RoJVSv+peH8PfcIH9p29U
afqa1lNYwL8slMNCHJ2S+2FhZdRxrDB3tZV1+PkTuKsAEQEAAYkCRAQYAQIADwUC
T44fIQIbLgUJB4YfgAEpCRD9rCXXmz4Ml8BdIAQZAQIABgUCT44fIQAKCRBdPPvR
SnGTbqbqCAC8ktSVt86Frttew2yfjqZt9NKCTtxyG8gihYxWIH48T/TS0eF6QKRn
RJMnYLAMM6ui2woijq88N6U6ojv3aZ/i9k21X5U8Xipol8/pSW5euI6MRXI8EO7m
G0ucxGMm3lCqnapzxozZqeqLqeUbJ4l+9WAwCawieZqUL1s42CDiMTNe3Y3n0rjL
bUWyFjTDA/H3BawjpjWllRqCezquXJ6TJTJmy1yplYVjj9KJI7AFoTZvF/iVVsGF
vAUo+pvS8bjnBjST3tmFJIsZi6CXxWKO01vp+ATq7IpqCWH1iUciVQuSwpPBheV5
5mT9BFiJiRSqFnWV38BpfR6Ji01noCnNxK0H/j44V+IbJ/ox1dU8Vfo10a3H5GHO
h3pnHgSFgjIQ0sOMluvNBHylhRZrwd2L4WMBI1zm6Jz4dqz0r3PPtm4+o5pyzSyb
HIyZoB5atNvo25BkAZYdtlG2xz6ial9cjmKdO6GXgqfwmIht7C9aKqz+ZnWs8qDY
AOCrLSt3UnAqFlUDz8gqhcw64nyt2+Jz3DWVszmvxDOI/xXHmWTKLOHE4SJITzs5
0BVGJh9yjlL2fokeg2Lm2M0yQ5+rv/2s62DQXizAlPRcvd2ynvwrz6292Utd871w
3+xUAutfb8PBluhShL5rumkIXIAPc99dzDI/iQK5e7owkr+iymKJIXrsjyE=
=D4St
-----END PGP PUBLIC KEY BLOCK-----

Anything encrypted with this public key can only be decrypted with the matching private key, making it highly secure.

Setting Up and Managing GPG Keys

To securely export and encrypt data, you need to generate a pair of GPG keys: a public key and a private key. The public key is shared with Evergiving to encrypt your data, while the private key is used by you to decrypt it.

Creating GPG Keys

To get started, you’ll need encryption software:

  • For Windows users: Download Gpg4win, which provides tools for managing GPG keys and encrypting/decrypting files.
  • For macOS users: Download GPG Suite, a user-friendly set of tools for encryption.

Once installed, follow the setting-up-encryption guide to generate your keys and configure them for file encryption.

Best Practices for Key Management

Key management is crucial to ensuring the security of your encrypted files. Follow these best practices:

1. Create a Strong Passphrase

When generating your private key, you’ll need a passphrase to secure it. This passphrase is like a password, and it’s your last line of defense if your private key is accessed by an unauthorized party. Make sure it’s:

  • A combination of letters, numbers, and special characters.
  • At least 7 characters long.
  • Not easily guessed or based on common words.

Since there is no "password reset" feature for GPG, choose a passphrase that’s both secure and memorable. If you lose the passphrase, you’ll need to create a new key pair.

2. Secure Key Storage

Store your private key in a secure location, such as an encrypted drive or vault. Ensure that only authorized personnel can access it. Consult your IT department for guidance on secure storage options.

3. Key Rotation and Lifespan

Your keys should have a defined lifespan, typically no longer than 2 years. After this period, generate new keys and update your encryption processes. Change keys immediately if someone with access leaves your organization or if there’s any suspicion of unauthorized access.

4. Distribute Keys Securely

Share your public key through secure channels and verify its authenticity using the key fingerprint. Never share your private key, as it must remain confidential.

Encrypting and Decrypting Files

Encrypting Files

Once your GPG keys are set up, follow these steps to encrypt a file:

  1. Open your GPG tool (Kleopatra for Windows, GPG Suite for macOS).
  2. Select the file you wish to encrypt.
  3. Choose your public key for encryption.
  4. The file will be encrypted, and you can safely send it to the intended recipient.

Decrypting Files

To decrypt an encrypted file:

  1. Open your GPG tool.
  2. Select the encrypted file.
  3. Enter your passphrase when prompted.
  4. The file will be decrypted, allowing you to access the contents.

GPG on Windows and macOS

Both Gpg4win (for Windows) and GPG Suite (for macOS) are robust tools for managing encryption keys and securely handling data. These tools allow you to:

  • Encrypt and decrypt files.
  • Sign messages to verify authenticity.
  • Manage GPG keys in a user-friendly interface.

For detailed instructions on setting up and using GPG on your platform, refer to the setting-up-encryption guide.

Importance of Secure Encryption

Using GPG encryption ensures that sensitive donor information remains secure throughout the export process. Only authorized users with the private key can access the data, minimizing the risk of unauthorized access or data breaches.

Encryption is a fundamental part of Evergiving’s commitment to data security, and by following these guidelines, you can ensure that your organization handles sensitive information responsibly.