Secure Password Transmission Methods for Developers: PGP vs Encrypted Archives


2 views

Every developer faces the dilemma of securely transmitting sensitive credentials at some point. Whether you're sharing database passwords with team members or sending API keys to collaborators, plaintext transmission via email or chat is never an option.

Pretty Good Privacy (PGP) and its open-source implementation GNU Privacy Guard (GPG) remain the most secure method for password transmission:


# Encrypting with GPG
gpg --encrypt --recipient recipient@email.com --armor password.txt

# Decrypting (recipient side)
gpg --decrypt password.txt.asc > password.txt

Key advantages:

  • End-to-end asymmetric encryption
  • Verifiable sender authenticity
  • Support for key revocation

For less technical recipients, encrypted archives can work:


# Create encrypted RAR (Windows)
rar a -hp mypasswords.rar password.txt

# Create encrypted 7z (Cross-platform)
7z a -p -mhe=on secured.7z password.txt

Important caveats:

  • The password must be shared via separate channel
  • Use strong, unique passwords (minimum 16 characters)
  • Avoid common archive formats like ZIP with weak encryption

For team environments, consider:

  • Magic Links: Services that generate one-time access URLs
  • Password Managers: Built-in secure sharing features
  • Ephemeral Messaging: 
    
# Using OnionShare for secure transfer
onionshare --receive --disable_csp

Regardless of method:

  1. Always verify recipient identity through secondary channel
  2. Set expiration for shared credentials when possible
  3. Include clear usage instructions with transmission
  4. Rotate credentials after sharing

For frequent sharing needs, consider automating with Python:


import gnupg
import getpass

def encrypt_password(recipient, password):
    gpg = gnupg.GPG()
    encrypted = gpg.encrypt(
        password,
        recipients=[recipient],
        armor=True
    )
    return str(encrypted)

if __name__ == "__main__":
    recipient = input("Recipient email: ")
    password = getpass.getpass("Password to encrypt: ")
    print(encrypt_password(recipient, password))

When sharing credentials across networks, standard methods like email or messaging apps leave glaring security holes. Let's examine robust alternatives that actually protect sensitive data in transit.

Standard ZIP passwords and HTTPS alone don't provide sufficient protection. ZIP crypto can be brute-forced in minutes, while HTTPS only secures the transport layer. We need end-to-end encryption where only the intended recipient can decrypt.

Here's how to encrypt with GPG (GNU Privacy Guard):

# Generate key pair (if needed)
gpg --full-generate-key

# Encrypt file for recipient
gpg --encrypt --recipient recipient@domain.com credentials.txt

# The recipient decrypts with:
gpg --decrypt credentials.txt.gpg > credentials.txt

For RAR/7z with AES-256:

# Using 7-Zip (cross-platform)
7z a -p -mhe=on -t7z secure.7z credentials.txt

# Using WinRAR (Windows)
rar a -hp -r secure.rar credentials.txt

For quick sharing without setup:

  • OnionShare (self-destructing shares)
  • Magic Wormhole (peer-to-peer transfer)
  • PrivateBin (encrypted pastebin)

Remember to:

  1. Verify recipient's public key fingerprint
  2. Use separate channels for passwords and keys
  3. Set expiration times where possible
  4. Include checksums to detect tampering

Python script for encrypted email attachments:

import gnupg
import smtplib
from email.mime.multipart import MIMEMultipart
from email.mime.base import MIMEBase

gpg = gnupg.GPG()
with open('creds.txt', 'rb') as f:
    encrypted = gpg.encrypt_file(f, recipients=['recipient@domain.com'])

msg = MIMEMultipart()
msg['Subject'] = 'Secure credentials'
part = MIMEBase('application', 'octet-stream')
part.set_payload(encrypted.data)
msg.attach(part)

server = smtplib.SMTP('smtp.example.com')
server.sendmail('sender@domain.com', 'recipient@domain.com', msg.as_string())