Encryption and Digital Signatures in R using GPG

[This article was first published on rOpenSci Blog - R, and kindly contributed to R-bloggers]. (You can report issue about the content on this page here)
Want to share your content on R-bloggers? click here if you have a blog, or here if you don't.

A new package gpg has appeared on CRAN. From the package description:

Bindings to GnuPG for working with OpenGPG (RFC4880) cryptographic methods. Includes utilities for public key encryption, creating and verifying digital signatures, and managing your local keyring. Note that some functionality depends on the version of GnuPG that is installed on the system. In particular GnuPG 2 mandates the use of 'gpg-agent' for entering passphrases, which only works if R runs in a terminal session.

The package features a beautiful vignette to get you started with using GPG in R. Some highlights from the vignette below.

Example: encryption

Suppose we want to send an email Glenn Greenwald containing top secret information. His homepage at the intercept shows Greenwalds GPG fingerprint. Let's import his public key:

glenn <- '734A3680A438DD45AF6F5B99A4A928C769CD6E44'

We can now encrypt messages for this key:

writeLines("This is a secret message", "secret.txt")
cat(gpg_encrypt("secret.txt", receiver = glenn))


You can safely send this message over any channel (email, twitter, etc). Nobody in the world (not even ourselves) will be able to decipher this message, except for Glenn Greenwald.

Example: digital signatures

GPG is most widely used for digital signatures. For example the Debian page on CRAN explains that the backports archives on CRAN are signed with the key of Johannes Ranke with key fingerprint 6212 B7B7 931C 4BB1 6280 BA13 06F9 0DE5 381B A480. Let’s import this key:

# take out the spaces
johannes <- gsub(" ", "", "6212 B7B7 931C 4BB1 6280  BA13 06F9 0DE5 381B A480")
considered   imported  unchanged 
         1          1          0  

We can now verify the Release file, which contains checksums for all files in the repository.

# Verify the file
curl_download('https://cran.r-project.org/bin/linux/debian/jessie-cran3/Release', 'Release')
curl_download('https://cran.r-project.org/bin/linux/debian/jessie-cran3/Release.gpg', 'Release.gpg')
gpg_verify('Release', 'Release.gpg')
                               fingerprint           timestamp hash pubkey success
1 6212B7B7931C4BB16280BA1306F90DE5381BA480 2016-06-22 09:26:03 SHA1    DSA    TRUE

Looking good! We can trust the checksums in the Release file to be legitimate.

Check out the package vignette for more examples!

To leave a comment for the author, please follow the link and comment on their blog: rOpenSci Blog - R.

R-bloggers.com offers daily e-mail updates about R news and tutorials about learning R and many other topics. Click here if you're looking to post or find an R/data-science job.
Want to share your content on R-bloggers? click here if you have a blog, or here if you don't.

Never miss an update!
Subscribe to R-bloggers to receive
e-mails with the latest R posts.
(You will not see this message again.)

Click here to close (This popup will not appear again)