Using GPG in embedded applications?

David Shaw dshaw at jabberwocky.com
Tue Mar 17 14:04:47 CET 2009 

On Mar 17, 2009, at 8:24 AM, Bo Berglund wrote:

>
> Is it possible to use GPG encryption in embedded applications?
> I would like to protect data passing from a PC over to an embedded  
> computer unit via an unsecure channel (TCP/IP or USB) such that when  
> it passes in the transfer line it will be GPG encrypted.
> The idea is to have the PC program encrypt a fairly large chunk of  
> data using the embedded unit's public key and then send the result  
> over the channel into the embedded application.
>
> Inside this (protected) hardware the secret key would be used to  
> decode the data, then some processing would be done whereupon the  
> resulting data is again GPG encrypted now with the public key of the  
> PC program and sent back over the channel.
> Finally the PC program would decode the data and further process it.
>
> To do this I figured I would have to use the encryption/decryption  
> kernel in the GPG package both in the PC and on the embedded  
> application hardware.
>
> So I would need to be able to:
> 1) Include the sourcecode of the relevant part of GPG into my PC  
> application.
>
> 2) Include the same in the embedded hardware program.
>
> Is this at all possible and how do I retrieve and identify the  
> needed sourcefiles in GPG?

In terms of legality - this is legal, but you must follow the  
license.  GPG is licensed under the GPL.   See http://www.gnu.org/licenses/gpl.html 
  for all the fine details (especially the FAQ there), but in general,  
if you want to include bits and pieces of GPG in your application, you  
must be prepared to release your application (both the PC side and  
embedded side) under the same terms as GPG.

In terms of engineering - is this really what you want?  If your goal  
is to encrypt over an insecure channel, see OpenSSL or GnuTLS.  If  
your goal is to encrypt using a library of encryption code, see  
libgcrypt or OpenSSL.  Libgcrypt, in particular, contains the same  
crypto code as GPG (and more), packaged as a library, thus saving you  
the bother of extracting it.  Note also that the licensing of these  
packages are different than GPG, which may be of help as well.

David

More information about the Gnupg-users mailing list