Here are some preliminary instructions for creating and using GPG keys with datasets available via the Language Bank of Finland.
GPG is short for GnuPG, The GNU Privacy Guard.
You may be asked for your public GPG key in the Language Bank Rights system when applying for access to a downloadable resource that includes confidential or sensitive data. This requirement only applies to specific datasets for which additional safeguards are needed. In order to complete your LBR application for such a resource, you need to know how to export your public key in ASCII format.
Please bear in mind that data encryption is only one of the mechanisms you can use for protecting confidential information. Encryption only helps during data transfer and storage. Before decrypting the data in order to use it for your research, you must make sure you have other safeguards in place. For larger projects with several participants who need secure access to the data, you might wish to consider using the SD platform at CSC, for example.
Naturally, you can also use GPG keys for sending and receiving encrypted email and other files, or for encrypting your own confidential data for safer storage and transfer.
We currently provide some instructions for command-line use only. There are also graphical user interfaces for managing your keys in Windows (e.g., Gpg4win) and OSX (e.g., GPGSuite).
Each key consists of two parts:
The Language Bank uses your public key to encrypt a package for you. Only you can then decrypt the package.
Your keys are stored in a keyring where your secrets are protected by a passphrase (i.e., a strong password, consisting of sufficiently many, i.e., no less than 14 characters, including letters, numbers and some special characters, for instance).
If someone has access to your keyring files and is sufficiently determined, they can ”brute-force” your passphrase. . Therefore:
Do not forget your passphrase! Without your passphrase, you cannot access your own private key. Without your private key, even you cannot decrypt the package!
Let’s assume that you already have your own key pair and you have assigned it the identifier ”Kaino Tutkija <ktutkija@example.fi>”. You need to share your public key with other people, so that they can encrypt files with it. Only you will then be able to decrypt the files.
In case you are using an application for managing your keys, e.g., GPGSuite or Gpg4Win, you can export your own public key into a keyfile in just a few clicks in the app. Select your own key pair from the list of keys and choose the option to export your public key in ASCII format. You should end up with a raw text file starting with ”—–BEGIN PGP PUBLIC KEY BLOCK—–”, ending in ”—–END PGP PUBLIC KEY BLOCK—–”, and a number of rows in between, each of them including a string of characters.
Note that the name of the keyfile exported as ASCII text will usually have the extension .asc by default. However, in order to be able to attach your public keyfile in your application for access rights via the Language Bank of Finland, you need to rename the file so that the extension is .txt.
In case you are working in the command line, the following command should create a keyfile, which can be uploaded to Language Bank Rights. For technical reasons, the file name extension needs to be .txt.
$ gpg --export --armour --output=ktutkija_gpg.txt 'Tutkija (esim.)'
This command should not prompt for your passphrase. It exports only your public key, which is not a secret.
With the armour option, the file contains a block of printable ASCII characters that is safe to view but not very informative. If you are curious, the following command gives an informative (though naturally highly technical) synopsis of its contents.
$ gpg --list-packets ktutkija_gpg.txt
If you are not already using gpg (GnuPG), but are otherwise using the command line environment and have gpg installed, you can start by creating a key. If you wish, you can create more than one key. Be prepared to provide a passphrase that protects your secrets.
$ gpg --quick-generate-key 'Kaino Tutkija (esim.) <ktutkija@example.fi>'
It is a useful convention to include your email address between the ”angle brackets” and other identifying information before them. In case you are going to use this key in order to ask the Language Bank to encrypt a research dataset that is to be accessed by you, you should include your official email address at your home institution.
The command should prompt for your passhprase to protect the secret components of the new key. Be prepared for this.
The command should use a default encryption algorithm. This may be a longish RSA cipher like rsa3072, or some newer and stronger cipher. You can provide another argument to select another key algorithm.
The command should create certain default key components, notably an encryption key, which in this discussion is the public key. A furtherargument can be used to specify something else. Components can also be added afterwards.
The key generation process uses unpredictable input from your computer. If a sufficient amount is not already available, you mayneed to move your mouse pointer around for a little while.
You can use the following command to see that your key really is in your keyring. This command does not list any secret components and will not prompt for your passphrase.
$ gpg --list-keys
The listing may contain other keys if this is not the only key in your keyring. You may have in your keyring other keys that you own, and you may import public keys of other people.
To only see your specific key, provide some text that matches your identifier but not any other key in your keyring.
$ gpg --list-keys '(esim.)'
You can also provide the fingerprint of the specific key, as shown in the listing.
$ gpg --decrypt --output=paketti.zip paketti.zip.gpg
This page has a persistent identifier: http://urn.fi/urn:nbn:fi:lb-2023052321
