Secure escrow material
Encrypt the collected and archived escrow material with OpenPGP. We recommend GnuPG (The GNU Privacy Guard), this is a free implementation of the OpenPGP standard. Detailed instructions for securing escrow material with GnuPG are available for Windows, MacOS and command-line users:
Gpg4win
Gpg4win (GNU Privacy Guard for Windows) is encryption software for files and emails. Gpg4win and the software included with Gpg4win are free software (Open Source; among other things free of charge for all commercial and non-commercial purposes).
Installation
Download Gpg4win from https://gpg4win.org. Run and complete the downloaded installer - do not change the default settings.
Start Kleopatra from the Windows start menu. Click on Settings and then on Configure Kleopatra. In the OpenPGP Keyserver field enter: hkps://keys.openpgp.org. Click on OK.
Import public key
Method 1
Click on Lookup on Server...
Enter BDE242AF12DD560B and click on Search. Wait while Kleopatra searches for the public key. Select the public key and click on Import.
Method 2
Warning
Inadvisable!
Only use this method in case Lookup on Server... does not work
Download our public key: Escrow4all PGP Public Key.
Click on Import...
Browse to the Downloads folder and select the downloaded public key. Click on Open.
Verify fingerprint
Choose No.
Double click on the imported key and verify that the fingerprint matches: 1EB1 7579 5C05 B0C1 2033 8354 BDE2 42AF 12DD 560B. Close the Certificate Details window.
Prepare escrow material
Create an archive (e.g. source-code-my-application.zip) of all deposit material. Click on Sign/Encrypt.
Select the file to encrypt (e.g. source-code-my-application.zip) and click on Open.
Uncheck Sign as and enter Escrow4all in the Encrypt for others field. Choose the Escrow4all certificate and click on Encrypt.
Click on Continue.
Click on Finish.
The encrypted file with the extension .gpg is placed in the same location as the original unencrypted file. For reference and subsequent update deposits Escrow4all strongly advises to keep a copy of the original unencrypted file.
GPG Suite
"GPG Suite" is a collection of software for encrypting and decrypting, signing and verifying files or emails for MacOS.
Installation
Warning
GPG Suite includes a one-month trial of GPG Mail. Click on Customise during the installation if you do not wish to install it. GPG Mail is not required to sign and encrypt files.
Download GPG Suite installer from https://gpgtools.org.
Open the installer GPG_Suite-2020.2.dmg and double click on Install.
Click on Continue.
Click on Agree to accept the software license agreement.
Click on Customise.
Uncheck GPG Mail 4 and GPG Mail 3 and click Install.
Enter your username and password and click on Install Software.
Wait for the installer to finish. Click on Close and then on Move to Trash to complete the installation.
Do not create a new key pair - click on Cancel.
Import public key
Once the GPG Suite installation is completed you can import the Escrow4all public key.
Start the GPG Keychain application and click on Lookup Key.
Enter BDE242AF12DD560B and click on Search.
Verify that the presented fingerprint matches 1EB1 7579 5C05 B0C1 2033 8354 BDE2 42AF 12DD 560B and click on Import Key.
Click on Ok to dismiss the notification.
Prepare escrow material
Create an archive (e.g. source-code-my-application.zip) of all deposit material.
Right-click (Control-click) on the file to encrypt and choose Services/OpenPGP: Encrypt File.
Click on Continue to dismiss the warning.
Select the key with fingerprint *1EB1 7579 5C05 B0C1 2033 8354 BDE2 42AF 12DD 560B and click on Encrypt*.
Wait until GPG Services is done encrypting the file. For files over 1 GB the encryption process may take a few minutes to complete.
A notification will pop-up when encryption is finished.
The encrypted file with the extension .gpg is placed in the same location as the original unencrypted file. For reference and subsequent update deposits Escrow4all strongly advises to keep a copy of the original unencrypted file.
GnuPG
GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications.
Installation
Windows
Download and install the latest version of GnuPG (https://gnupg.org/ftp/gcrypt/binary).
MacOS
Download GPG Suite from https://gpgtools.org. Open GPG_Suite-2020.2.dmg, click on Install and follow the instructions.
Warning
GPG Suite includes a one-month trial of GPG Mail. Change the installation options if you do not wish to install it. GPG Mail is not required to sign and encrypt files.
Linux
GnuPG is a core component of all mainstream Linux distributions.
On Debian and Ubuntu install GnuPG with APT. Curl should be installed to import public keys from key servers. Start a terminal session and enter:
sudo apt install gnupg
sudo apt install curl
Import public key
Import the Escrow4all public key from keys.openpgp.org. Start the Command Prompt or Terminal and enter:
gpg --keyserver keys.openpgp.org --recv-keys BDE242AF12DD560B
Note
Replace keys.openpgp.org with keyserver.ubuntu.com in case GnuPG returns an error:
gpg --keyserver keyserver.ubuntu.com --recv-keys BDE242AF12DD560B
In some cases, you may need to prefix the keyserver name with hkps://:
gpg --keyserver hkps://keys.openpgp.org --recv-keys BDE242AF12DD560B
Verify that the fingerprint matches 1EB1 7579 5C05 B0C1 2033 8354 BDE2 42AF 12DD 560B, enter:
gpg --fingerprint BDE242AF12DD560B
Prepare escrow material
Start the Command Prompt or Terminal and enter:
gpg --recipient BDE242AF12DD560B --encrypt-files archive.zip
Confirm that you want to use the key:
GnuPG created a new file with the .gpg extension.
Note
Please note that GnuPG can encrypt single files only. To encrypt multiple files or directories create an archive first.
Script automation
For unattended execution change the trust level of the public key to ultimate.
Start the Command Prompt or Terminal application and enter:
echo 1EB175795C05B0C120338354BDE242AF12DD560B:6: | gpg --import-ownertrust
