Secure escrow material
Encrypt the collected and archived escrow material with OpenPGP. We recommend GnuPG (The GNU Privacy Guard), this is a free implementation of the OpenPGP standard. Detailed instructions for securing escrow material with GnuPG are available for Windows, MacOS and command-line users:
Gpg4win
Gpg4win (GNU Privacy Guard for Windows) is encryption software for files and emails. Gpg4win and the software included with Gpg4win are free software (Open Source; among other things free of charge for all commercial and non-commercial purposes).
Installation
Download Gpg4win from https://gpg4win.org. Run and complete the downloaded installer - do not change the default settings.
Start Kleopatra from the Windows start menu. Click on Settings and then on Configure Kleopatra. In the OpenPGP Keyserver field enter: hkps://keys.openpgp.org. Click on OK.
Import public key
Method 1
Click on Lookup on Server...
Enter D1B2C31A65C9ACD0 and click on Search. Wait while Kleopatra searches for the public key. Select the public key and click on Import.
Method 2
Warning
Inadvisable!
Only use this method in case Lookup on Server... does not work
Download our public key: ESCROWSURE PGP Public Key.
Click on Import...
Browse to the Downloads folder and select the downloaded public key. Click on Open.
Verify fingerprint
Choose No.
Double click on the imported key and verify that the fingerprint matches: E097 6C6B E3FA 4FA2 127D 7353 D1B2 C31A 65C9 ACD0. Close the Certificate Details window.
Prepare escrow material
Create an archive (e.g. source-code-my-application.zip) of all deposit material. Click on Sign/Encrypt.
Select the file to encrypt (e.g. source-code-my-application.zip) and click on Open.
Uncheck Sign as and enter ESCROWSURE in the Encrypt for others field. Choose the ESCROWSURE certificate and click on Encrypt.
Click on Continue.
Click on Finish.
The encrypted file with the extension .gpg is placed in the same location as the original unencrypted file. For reference and subsequent update deposits ESCROWSURE strongly advises to keep a copy of the original unencrypted file.
GPG Suite
"GPG Suite" is a collection of software for encrypting and decrypting, signing and verifying files or emails for MacOS.
Installation
Warning
GPG Suite includes a one-month trial of GPG Mail. Click on Customise during the installation if you do not wish to install it. GPG Mail is not required to sign and encrypt files.
Download GPG Suite installer from https://gpgtools.org.
Open the installer GPG_Suite-2020.2.dmg and double click on Install.
Click on Continue.
Click on Agree to accept the software license agreement.
Click on Customise.
Uncheck GPG Mail 4 and GPG Mail 3 and click Install.
Enter your username and password and click on Install Software.
Wait for the installer to finish. Click on Close and then on Move to Trash to complete the installation.
Do not create a new key pair - click on Cancel.
Import public key
Once the GPG Suite installation is completed you can import the ESCROWSURE public key.
Start the GPG Keychain application and click on Lookup Key.
Enter D1B2C31A65C9ACD0 and click on Search.
Verify that the presented fingerprint matches E097 6C6B E3FA 4FA2 127D 7353 D1B2 C31A 65C9 ACD0 and click on Import Key.
Click on Ok to dismiss the notification.
Prepare escrow material
Create an archive (e.g. source-code-my-application.zip) of all deposit material.
Right-click (Control-click) on the file to encrypt and choose Services/OpenPGP: Encrypt File.
Click on Continue to dismiss the warning.
Select the key with fingerprint *E097 6C6B E3FA 4FA2 127D 7353 D1B2 C31A 65C9 ACD0 and click on Encrypt*.
Wait until GPG Services is done encrypting the file. For files over 1 GB the encryption process may take a few minutes to complete.
A notification will pop-up when encryption is finished.
The encrypted file with the extension .gpg is placed in the same location as the original unencrypted file. For reference and subsequent update deposits ESCROWSURE strongly advises to keep a copy of the original unencrypted file.
GnuPG
GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications.
Installation
Windows
Download and install the latest version of GnuPG (https://gnupg.org/ftp/gcrypt/binary).
MacOS
Download GPG Suite from https://gpgtools.org. Open GPG_Suite-2020.2.dmg, click on Install and follow the instructions.
Warning
GPG Suite includes a one-month trial of GPG Mail. Change the installation options if you do not wish to install it. GPG Mail is not required to sign and encrypt files.
Linux
GnuPG is a core component of all mainstream Linux distributions.
On Debian and Ubuntu install GnuPG with APT. Curl should be installed to import public keys from key servers. Start a terminal session and enter:
sudo apt install gnupg
sudo apt install curl
Import public key
Import the ESCROWSURE public key from keys.openpgp.org. Start the Command Prompt or Terminal and enter:
gpg --keyserver keys.openpgp.org --recv-keys D1B2C31A65C9ACD0
Note
Replace keys.openpgp.org with keyserver.ubuntu.com in case GnuPG returns an error:
gpg --keyserver keyserver.ubuntu.com --recv-keys D1B2C31A65C9ACD0
Verify that the fingerprint matches E097 6C6B E3FA 4FA2 127D 7353 D1B2 C31A 65C9 ACD0, enter:
gpg --fingerprint D1B2C31A65C9ACD0
Prepare escrow material
Start the Command Prompt or Terminal and enter:
gpg --recipient D1B2C31A65C9ACD0 --encrypt-files archive.zip
Confirm that you want to use the key:
GnuPG created a new file with the .gpg extension.
Note
Please note that GnuPG can encrypt single files only. To encrypt multiple files or directories create an archive first.
Script automation
For unattended execution change the trust level of the public key to ultimate.
Start the Command Prompt or Terminal application and enter:
echo E0976C6BE3FA4FA2127D7353D1B2C31A65C9ACD0:6: | gpg --import-ownertrust
