-
-
Notifications
You must be signed in to change notification settings - Fork 41
Confidential data
paste has no method of encrypting data to keep it confidential. This is not the job of a pastebin. However, it may be useful to share confidential information, so this page will detail some methods to do so!
The most obvious answer is to use GPG.
If you'd like to send confidential data through a paste, you can encrypt it using GPG.
# ASCII armour
echo This is my dirty secret | gpg --encrypt --armour --recipient joe@schm.oe
# base64
echo This is my dirty secret | gpg --encrypt --recipient joe@schm.oe | openssl base64 -AThis will create ASCII output which can be uploaded to paste. The server hosting paste is unable to decrypt the content without the recipient's private key. In fact, no one but those with access to the recipient's private key can decrypt such a message. Even binary files can be encrypted and uploaded this way.
If you receive confidential data in a paste, you can decrypt it using GPG, assuming it was meant for you.
# ASCII armour
curl -sSf <raw file URL> | gpg --decrypt
# base64
curl -sSf <raw file URL> | openssl base64 -A -d | gpg --decryptYou can use a passphrase with GPG (symmetric key encryption) to encrypt confidential data. Anyone with the passphrase can decrypt it.
# ASCII armour
echo This is my dirty secret | gpg --armour --symmetric
# base64
echo This is my dirty secret | gpg --symmetric | openssl base64 -AGPG will prompt you for a passphrase.
This is exactly the same as key-based decryption, only that you will be prompted to input the passphrase used during encryption, not your key's passphrase.
Using paste's API, automated tools can be made to exclusively deal with encrypted pastes, or existing paste tools can be used with data piped through GPG.